App Connect

 View Only

Running App Connect Enterprise in Containers by configuring IBM JRE in FIPS compliance mode

By AMAR SHAH posted Mon November 27, 2023 09:21 AM

  

IBM App Connect Enterprise (ACE) uses several cryptography providers to talk to various endpoints, for example, JVM for HTTP Request et al, OpenSSL for HTTPInput, Node.js, Switchserver, and the GSKit for MQ.

This article focuses particularly on outbound connections that use JVM for cryptography and JRE version 1.8. In order to get closer to the FIPS compliance, the JVM needs to be configured to limit the ciphers used. We talk about the steps required to put the JVM in FIPS mode when App Connect Enterprise is running in containers.

What is FIPS

FIPS is a security standard adopted by the U.S. federal government. It defines that the network communication should be encrypted and supplies the set of cryptography algorithms which are suitable for such use.

Enabling FIPS mode for JRE 1.8

The IBM JRE shipped with ACE can be configured in “FIPS mode” which makes it operate according to FIP140-2. This includes reducing the allowed ciphers to ciphers deemed secure by that standard. You enable FIPS mode by setting properties and updating the java.security file. You do not need to make changes to the application to support IBMJSSE2 running in FIPS mode.

To enable the functionality the `java.security` file (in the [Install dir]/common/jdk/jre/lib/security/ directory) needs to be updated to prefer the IBMJCEPlusFIPS provider over the `IBMJCE` provider as shown below:

security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.plus.provider.IBMJCEPlusFIPS
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.ibm.crypto.plus.provider.IBMJCEPlus
security.provider.5=com.ibm.security.jgss.IBMJGSSProvider
security.provider.6=com.ibm.security.cert.IBMCertPath
security.provider.7=com.ibm.security.sasl.IBMSASL
security.provider.8=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.9=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.11=sun.security.provider.Sun 


For more information and detailed instructions go to: https://www.ibm.com/docs/en/sdk-java-technology/8?topic=provider-running-ibmjsse2-in-fips-mode.

In an on-prem VM based installation of App Connect Enterprise v12, you can edit the java.security file by navigating to the directory under the ACE installation path and updating it with the above order of security providers. However, in container world, the images are immutable, and hence a different approach is required to provide an updated java.security file to the JVM during Integration Server/Integration Runtime startup. The following section describes one such approach.

Passing a modified java.security file to App Connect in containers

  • Make a copy of the java.security file and store it in a temporary location on your system.
  • Edit it such that com.ibm.crypto.plus.provider.IBMJCEPlusFIPS appears before com.ibm.crypto.provider.IBMJCE as shown in the section above.
  • Save the file.

Now, let’s look at the steps to pass this file to an Integration Server running under App Connect Operator in Cloud Pak for Integration (CP4I).
We will need to create two configurations

  • Generic configuration
    Using this configuration type you can pass the modified java.security file to the container in a zipped format.  The generic object gets unpacked in the /home/aceuser/generic folder inside the container.
  • Server.conf.yaml configuration
    As we want to use the modified java.security file, you can override the default java.security file setting the 'java.security.properties' system property to point to a new properties file as part of the JVM invocation.  We do this by setting:
    java.security.properties==/home/aceuser/generic/java.security

    (notice the *two* equal signs)

    Additionally, set the following system property to enable FIPS mode in the IBMJSSE2 provider and the FIPS provider name:

    com.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
    com.ibm.jsse2.usefipsprovider=true

    So finally, we have the following set of JVM system properties to be set in the server.conf.yaml

    jvmSystemProperty: '-Djava.security.properties==/home/aceuser/generic/java.security -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS -Dcom.ibm.jsse2.usefipsprovider=true -Djavax.net.debug=all'

    You can further add keystore and truststore configuration parameters to the JVM resource manager. The server.conf.yaml will look like this:

    ResourceManagers:
    JVM:
    truststoreType: 'JKS'
    truststoreFile: '/home/aceuser/truststores/cp4i-truststore.jks'
    truststorePass: 'truststore::truststorepass'

    jvmSystemProperty: '-Djava.security.properties==/home/aceuser/generic/java.security -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS -Dcom.ibm.jsse2.usefipsprovider=true -Djavax.net.debug=all'

Note: These configurations steps are applicable to all the outbound transports like Kafka, MQTT, TCPIP, HTTP Outbound (HTTPRequest , Rest Request, Async Request ..) that use JRE for cryptography.

Message flow configuration

To test this we use two simple flows :

  1. A simple client flow having an HTTPRequest node as shown below deployed to a Integration Server.

    A simple client flow having a HTTPRequest node

    The HTTPRequest node is configured to invoke an HTTPS service with SSL protocol TLSv1.2.

    The HttpRequest node is configured
    HTTPRequest node properties

  2. The SSL enabled HTTP Server flow is deployed to another Integration Server in the same cluster.

    SSL enabled HTTP Server flow
    HTTPInput1

    We configure the HTTP Server flow with the restricted CipherSuite (in server.conf.yaml) as below

    ResourceManagers:
      HTTPSConnector:
       CipherSpec: 'ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384'

Testing the message flow

To verify that the JVM is running in FIPS mode and is using the updated java.security file and correct FIPS security provider you can enable JSSE trace on the IS running client flow (i.e. the one with HTTPRequest node). You should be able to see the following entries:

javax.net.ssl|ALL|20|Thread-14|2023-10-28 18:59:54.368
UTC|Thread.java:1178|IBMJSSE2 will use FIPS provider IBMJCEPlusFIPS

javax.net.ssl|FINE|20|Thread-14|2023-10-28 18:59:57.763
UTC|Thread.java:1178|Produced ClientHello handshake message

javax.net.ssl|FINE|20|Thread-14|2023-10-28 18:59:57.859
UTC|Thread.java:1178|Consuming ServerHello handshake message

javax.net.ssl|FINE|20|Thread-14|2023-10-28 18:59:54.757
UTC|Thread.java:1178|JsseJCE: Using SecureRandom SHA2DRBG from provider IBMJCEPlusFIPS version 1.8

javax.net.ssl|FINE|20|Thread-14|2023-10-28 18:59:58.268
UTC|Thread.java:1178|SSLCipher: Using cipher for encrypt 4 AES/GCM/NoPadding from provider from init IBMJCEPlusFIPS version 1.8

Conclusion

This confirms that the JVM has picked up the updated java.security file and that the JVM is running in FIPS mode. It is also possible to use similar method of  customized  java.security file  and server.conf.yaml  to set JVM in a FIPS compliance manner for an on-prem VM based deployment of ACE.


#AppConnectEnterprise(ACE)
#containers
#jvm
#FIPS
#JRE

0 comments
23 views

Permalink