IBM App Connect Enterprise (ACE) uses several cryptography providers to talk to various endpoints, for example, JVM for HTTP Request et al, OpenSSL for HTTPInput, Node.js, Switchserver, and the GSKit for MQ.
This article focuses particularly on outbound connections that use JVM for cryptography and JRE version 1.8. In order to get closer to the FIPS compliance, the JVM needs to be configured to limit the ciphers used. We talk about the steps required to put the JVM in FIPS mode when App Connect Enterprise is running in containers.
What is FIPS
FIPS is a security standard adopted by the U.S. federal government. It defines that the network communication should be encrypted and supplies the set of cryptography algorithms which are suitable for such use.
Enabling FIPS mode for JRE 1.8
The IBM JRE shipped with ACE can be configured in “FIPS mode” which makes it operate according to FIP140-2. This includes reducing the allowed ciphers to ciphers deemed secure by that standard. You enable FIPS mode by setting properties and updating the java.security file. You do not need to make changes to the application to support IBMJSSE2 running in FIPS mode.
To enable the functionality the `java.security` file (in the [Install dir]/common/jdk/jre/lib/security/ directory) needs to be updated to prefer the IBMJCEPlusFIPS provider over the `IBMJCE` provider as shown below:
For more information and detailed instructions go to: https://www.ibm.com/docs/en/sdk-java-technology/8?topic=provider-running-ibmjsse2-in-fips-mode.
In an on-prem VM based installation of App Connect Enterprise v12, you can edit the java.security file by navigating to the directory under the ACE installation path and updating it with the above order of security providers. However, in container world, the images are immutable, and hence a different approach is required to provide an updated java.security file to the JVM during Integration Server/Integration Runtime startup. The following section describes one such approach.
Passing a modified java.security file to App Connect in containers
- Make a copy of the java.security file and store it in a temporary location on your system.
- Edit it such that com.ibm.crypto.plus.provider.IBMJCEPlusFIPS appears before com.ibm.crypto.provider.IBMJCE as shown in the section above.
- Save the file.
Now, let’s look at the steps to pass this file to an Integration Server running under App Connect Operator in Cloud Pak for Integration (CP4I).
We will need to create two configurations
Note: These configurations steps are applicable to all the outbound transports like Kafka, MQTT, TCPIP, HTTP Outbound (HTTPRequest , Rest Request, Async Request ..) that use JRE for cryptography.
Message flow configuration
To test this we use two simple flows :
- A simple client flow having an HTTPRequest node as shown below deployed to a Integration Server.
The HTTPRequest node is configured to invoke an HTTPS service with SSL protocol TLSv1.2.
- The SSL enabled HTTP Server flow is deployed to another Integration Server in the same cluster.
We configure the HTTP Server flow with the restricted CipherSuite (in server.conf.yaml) as below
Testing the message flow
To verify that the JVM is running in FIPS mode and is using the updated java.security file and correct FIPS security provider you can enable JSSE trace on the IS running client flow (i.e. the one with HTTPRequest node). You should be able to see the following entries:
UTC|Thread.java:1178|IBMJSSE2 will use FIPS provider IBMJCEPlusFIPS
UTC|Thread.java:1178|Produced ClientHello handshake message
UTC|Thread.java:1178|Consuming ServerHello handshake message
UTC|Thread.java:1178|JsseJCE: Using SecureRandom SHA2DRBG from provider IBMJCEPlusFIPS version 1.8
UTC|Thread.java:1178|SSLCipher: Using cipher for encrypt 4 AES/GCM/NoPadding from provider from init IBMJCEPlusFIPS version 1.8
This confirms that the JVM has picked up the updated java.security file and that the JVM is running in FIPS mode. It is also possible to use similar method of customized java.security file and server.conf.yaml to set JVM in a FIPS compliance manner for an on-prem VM based deployment of ACE.