WebSphere Enterprise 8.5.5.3 with FIPS SP800-131 and TLS 1.2

Owned by Tran Tang
Last updated: Jul 12, 2019 by Eric McDonald
2 min read

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths


1.  Click Security > SSL certificate and key management > Manage FIPS
2.  Select the Enable SP800-131 radio button.
3.  Select the Transition radio button.
     a. You have the choice to change the protocols in SSL configuration to TLSv1.2 by optionally selecting the 
         Update the SSL configuration to require TLSv1.2 box. If you do not select this box, all SSL configurations are set to TLS.
4.  Click Apply/Save.
5.  If your server is enabled with Dynamic SSL Updating, edit the ssl.client.props file and change the com.ibm.ssl.protocol property to have the same protocol you
     configured the server to have before you restart the server. When these changes are applied, and the server is restarted,
     all of the SSL configuration on the server are modified to use the TLS or TLSv1.2 protocol, and the com.ibm.jsse2.sp800-131 system property
     is set to transition. The SSL configuration uses the appropriate SSL ciphers for the standard.
6   Click Server > Server Types > WebSphere application servers and then click server1 to open it.
7.  Under Server Infrastructure, click Java and Process Management > Process definition.
8.  Under Additional Properties, click Java Virtual Machine.
9.  Under Generic JVM arguments, enter -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
10.Click OK and save directly to the master configuration. 
11. Restart the application server.

Test conclusions

  • In transition mode, selecting TLS version from the WAS console drop-down list is SUPPOSED to set TLS version as both client and server but is only setting it as a server (selecting 1.2 - still attempted client hello with 1.0)
  • In transition mode, https.protocols had to be set to TLS 1.2 to attempt client hello with TLS 1.2 (validation suite passed in loopback mode)
  • In strict mode - there's an error - "Only TLS1.2 protocol can be enabled in SP800_131 strict mode" - even thought https.protocols is still set to 1.2. This looks like strict mode ignores https.protocols but isn't able to get the IBM JDK 1.7 to attempt a client hello with TLS 1.2

CONCLUSION: FIPS SP800-131 is fine in transition mode as it supports TLS 1.2 and longer key lengths. Strict mode merely enforces the use of TLS 1.2 and that does not seem to be functioning at the time of this testing.