FIPS Support
The Windchill RV&S server's SSL implementation can be configured to conform to the FIPS 140-2 standard. Windchill RV&S uses the bc-fips-1.0.2.jar (a module from Bouncy Castle ) for FIPS 140-2 compliance. For TLSv1.3 support, Windchill RV&S uses the bctls-fips-1.0.11.jar. The BC FIPS jar has been designed and implemented to meet FIPS 140-2, Level 1 requirements.
The FIPS 140-2 configuration is supported only for the following connections:
Windchill RV&S client -Windchill RV&S server
Windchill RV&S server-Windchill RV&S server
Web browser-Windchill RV&S server
Windchill RV&S Agent-Windchill RV&S server
Windchill RV&S API (Java or C)-Windchill RV&S server
If you have not created a server certificate, follow the instructions provided in the Windchill RV&S documentation to create the certificate, have it signed, and import it into the Windchill RV&S server PKCS12 keystore:
<Windchill RV&S server installdir>/data/tls/certificate.p12
For more information on creating a server certificate, see Creating Signed Server Certificates.
Perform the following steps to configure Windchill RV&S for FIPS:
1. Configure the Database server on SSL and obtain the public key certificate for the Database server. Import this certificate into the <ServerInstalldir>/data/tls/certificate.p12 keystore as a trusted certificate.
2. Configure additional parameters for the mks.dynamicPool.config property in the <ServerInstallDir>/config/properties/ as follows:
3. Configure the Windchill RV&S server to use BC FIPS provider for SSL by adding the following property to the <ServerInstallDir>/config/properties/
4. Restart the Windchill RV&S server for the changes to take effect.
5. Modify the following lax files of standalone DB utilities such that the BC FIPS Provider is installed by these utilities:
6. Ensure that the property security.overridePropertiesFile is set to true in the <JDK_INSTALL_DIR>/lib/security/ file.
7. Note the highest number in the property security.provider.N where N is the property number. For example, consider NN as this number.
8. Create a new text file. In this case assume the new text file is JavaSecurityFips.txt and add the following entry to the file:
security.provider.M=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider where M is NN+1.
9. Edit each of the aforementioned lax files as follows:
a. Add the path of the bc-fips-1.0.2.jar, bctls-fips-1.0.11.jar, and bcprov-jdk15on-1.69 jar to the property lax.class.path. The path is :../server/mks/lib/bc-fips-1.0.2.jar:../server/mks/lib/bcprov-jdk15on-1.69.jar, which is relative to the location of the lax file.
b. Add a new argument to the additional property. Set its value to the location of the JavaSecurityFips file as follows:<location of JavaSecurityFips.txt>
10. In the mksservice.conf file, append the entries for the bc-fips-1.0.2.jar, bctls-fips-1.0.11.jar, and bcprov-jdk15on-1.69.jar in the following order:<serverinstalldir>/server/mks/lib/bc-fips-1.0.2.jar<serverinstalldir>/server/mks/lib/bcprov-jdk15on-1.69.jar
Ensure that the numbers xx trailing the property are unique and not repeated anywhere in the mksservice.conf file.
After editing the mksservice.conf file, stop and restart the Windchill RV&S server.
