FIPS Support
The Windchill RV&S server's SSL implementation can be configured to conform to the FIPS 140-2 standard. Windchill RV&S uses the bc-fips-1.0.1.jar (a module from Bouncy Castle ) for FIPS 140-2 compliance. The BC FIPS jar has been designed and implemented to meet FIPS 140-2, Level 1 requirements.
The FIPS 140-2 configuration is supported only for the following connections:
• Windchill RV&S client -Windchill RV&S server
• Windchill RV&S server-Windchill RV&S server
• Web browser-Windchill RV&S server
• Windchill RV&S Agent-Windchill RV&S server
• Windchill RV&S API (Java or C)-Windchill RV&S server
If you have not created a server certificate, follow the instructions provided in the Windchill RV&S documentation to create the certificate, have it signed, and import it into the Windchill RV&S server PKCS12 keystore:
<Windchill RV&S server installdir>/data/tls/certificate.p12
For more information on creating a server certificate, see
Creating Signed Server Certificates.
Perform the following steps to configure Windchill RV&S for FIPS:
1. Configure the Database server on SSL and obtain the public key certificate for the Database server. Import this certificate into the <ServerInstalldir>/data/tls/certificate.p12 keystore as a trusted certificate.
2. Configure additional parameters for the mks.dynamicPool.config property in the <ServerInstallDir>/config/properties/is.properties as follows:
mks.dynamicPool.config=url\=jdbc\:sqlserver\://<hostname>\:<port>;databaseName\=<dbname>;
selectMethod\=cursor;encrypt=true;fips=true;trustStoreType=PKCS12;fipsProvider=BCFIPS;
trustServerCertificate=false;hostNameInCertificate=<hostnameInCert>;trustStorePassword=<password>;
trustStore=<ServerInstallDir>/data/tls/certificate.p12,driver\=mks.frame.sql.jdbc.mssql.Driver,initialCapacity\=5,maxCapacity\=100,testTable\=VersionIdentity
3. Configure the Windchill RV&S server to use BC FIPS provider for SSL by adding the following property to the <ServerInstallDir>/config/properties/is.properties:
mksis.secure.provider=bcfips
4. Restart the Windchill RV&S server for the changes to take effect.
5. Modify the following lax files of standalone DB utilities such that the BC FIPS Provider is installed by these utilities:
◦ <ServerInstallDir>/bin/isutil.lax
◦ <ServerInstallDir>/bin/PatchServer.lax
◦ <ServerInstallDir>/bin/collectSupportPackage.lax
6. Ensure that the property security.overridePropertiesFile is set to true in the <JRE_INSTALL_DIR>/lib/security/java.security file.
7. Note the highest number in the property security.provider.N where N is the property number. For example, consider NN as this number.
8. Create a new text file. In this case assume the new text file is JavaSecurityFips.txt and add the following entry to the file:
security.provider.M=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider where M is NN+1.
9. Edit each of the aforementioned lax files as follows:
a. Add the path of the bc-fips-1.0.1.jar and bcprov-jdk15on-1.66 jar to the property lax.class.path. The path is :../server/mks/lib/bc-fips-1.0.1.jar:../server/mks/lib/bcprov-jdk15on-1.66.jar, which is relative to the location of the lax file.
b. Add a new argument -Djava.security.properties to the lax.nl.java.option additional property. Set its value to the location of the JavaSecurityFips file as follows:
lax.nl.java.option.additional=-Djava.security.properties=<location of JavaSecurityFips.txt>
10. In the mksservice.conf file, append the mks.java.classpath entries for the bc-fips-1.0.1.jar and bcprov-jdk15on-1.66.jar in the following order:
mks.java.classpath.xx=/<serverinstalldir>/server/mks/lib/bc-fips-1.0.1.jar
mks.java.classpath.xx=/<serverinstalldir>/server/mks/lib/bcprov-jdk15on-1.66.jar
Ensure that the numbers xx trailing the mks.java.classpath property are unique and not repeated anywhere in the mksservice.conf file.
After editing the mksservice.conf file, stop and restart the Windchill RV&S server.