diff --git a/dev/com.ibm.ws.crypto.common/src/com/ibm/ws/crypto/common/FipsUtils.java b/dev/com.ibm.ws.crypto.common/src/com/ibm/ws/crypto/common/FipsUtils.java index a7070b48595..b6ea9bc5606 100644 --- a/dev/com.ibm.ws.crypto.common/src/com/ibm/ws/crypto/common/FipsUtils.java +++ b/dev/com.ibm.ws.crypto.common/src/com/ibm/ws/crypto/common/FipsUtils.java @@ -26,11 +26,26 @@ public class FipsUtils { static String FIPSLevel = getFipsLevel(); + public static String getProperty(final String prop, final String defaultValue) { + return AccessController.doPrivileged(new PrivilegedAction() { + @Override + public String run() { + return System.getProperty(prop, defaultValue); + } + }); + } + static String getFipsLevel() { String fipsLevel = AccessController.doPrivileged(new PrivilegedAction() { @Override public String run() { String propertyValue = System.getProperty("com.ibm.fips.mode"); + if (propertyValue == null) { + String result = System.getProperty("global.fips_140-3"); + if ("true".equalsIgnoreCase(result)) { + propertyValue = "140-3"; + } + } return (propertyValue == null) ? "disabled" : propertyValue.trim().toLowerCase(); } }); @@ -40,7 +55,7 @@ public String run() { return fipsLevel; } - static boolean isSemeruFips() { + public static boolean isSemeruFips() { boolean result = false; String semeruFips = AccessController.doPrivileged(new PrivilegedAction() { @Override diff --git a/dev/com.ibm.ws.ssl/src/com/ibm/websphere/ssl/Constants.java b/dev/com.ibm.ws.ssl/src/com/ibm/websphere/ssl/Constants.java index c48919d16e3..fddd5894ede 100644 --- a/dev/com.ibm.ws.ssl/src/com/ibm/websphere/ssl/Constants.java +++ b/dev/com.ibm.ws.ssl/src/com/ibm/websphere/ssl/Constants.java @@ -213,7 +213,7 @@ private Constants() { public static final String IBMJCE = "com.ibm.crypto.provider.IBMJCE"; public static final String IBMJCE_NAME = "IBMJCE"; public static final String IBMJCEFIPS = "com.ibm.crypto.fips.provider.IBMJCEFIPS"; - public static final String IBMJCEPlusFIPS = "com.ibm.crypto.fips.provider.IBMJCEPlusFIPS"; + public static final String IBMJCEPlusFIPS = "com.ibm.crypto.plus.fips.provider.IBMJCEPlusFIPS"; public static final String IBMJCEFIPS_NAME = "IBMJCEFIPS"; public static final String IBMJCEPlusFIPS_NAME = "IBMJCEPlusFIPS"; public static final String IBMJSSE2 = "com.ibm.jsse2.IBMJSSEProvider2"; diff --git a/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/JSSEProviderFactory.java b/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/JSSEProviderFactory.java index 147624f1779..e8b2cb167d5 100644 --- a/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/JSSEProviderFactory.java +++ b/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/JSSEProviderFactory.java @@ -414,6 +414,7 @@ public static void initializeFips() throws Exception { // throw e; // } // } + if (!fipsInitialized) { //TODO: maybe check the provider list to make sure we have the right order of the provider. // IBM JDK: IBMJSEE2, IBMJCEPlusFips diff --git a/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/AbstractJSSEProvider.java b/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/AbstractJSSEProvider.java index 3d7c709bb7e..d50cd4086f8 100644 --- a/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/AbstractJSSEProvider.java +++ b/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/AbstractJSSEProvider.java @@ -25,6 +25,8 @@ import java.security.PrivilegedAction; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; +import java.security.Provider; +import java.security.Security; import java.security.UnrecoverableKeyException; import java.util.ArrayList; import java.util.Collection; @@ -115,13 +117,26 @@ protected void initialize(String keyMgr, String trustMgr, String cxtProvider, St this.keyStoreProvider = keyProvider; this.socketFactory = factory; this.defaultProtocol = protocolType; - if (tc.isDebugEnabled()) { - Tr.debug(tc, "contextProvider: " + contextProvider); - Tr.debug(tc, "defaultProtocol: " + defaultProtocol); + Tr.entry(tc, "initialize ", keyMgr, trustMgr, cxtProvider, keyProvider); + } + + if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) { + String javaSecurityFile = AccessController.doPrivileged(new PrivilegedAction() { + @Override + public String run() { + return Security.getProperty("java.security.policy"); + } + }); + + Tr.debug(tc, "java security policy file: " + javaSecurityFile); + Provider[] provider_list = Security.getProviders(); + for (int i = 0; i < provider_list.length; i++) { + Tr.debug(tc, "Provider[" + i + "]: " + provider_list[i].getName() + ", info: " + provider_list[i].getInfo()); + } } if (FipsUtils.isFIPSEnabled()) { - if (FipsUtils.isFips140_3Enabled()) { + if (FipsUtils.isFips140_2Enabled() || FipsUtils.isFips140_3Enabled()) { if (CryptoProvider.isIBMJCEPlusFIPSAvailable() || CryptoProvider.isOpenJCEPlusFIPSAvailable()) { try { com.ibm.ws.ssl.JSSEProviderFactory.initializeFips(); diff --git a/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/IBMJSSEProvider.java b/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/IBMJSSEProvider.java index 288ac7d808e..55bb1db81da 100644 --- a/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/IBMJSSEProvider.java +++ b/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/IBMJSSEProvider.java @@ -77,24 +77,32 @@ public IBMJSSEProvider() { // initialize(JSSEProviderFactory.getKeyManagerFactoryAlgorithm(), JSSEProviderFactory.getTrustManagerFactoryAlgorithm(), Constants.IBMJSSE2_NAME, null, // Constants.SOCKET_FACTORY_WAS_DEFAULT, null, Constants.PROTOCOL_SSL_TLS_V2); // } + String protocol = Constants.PROTOCOL_SSL; + if (FipsUtils.isFIPSEnabled() && CryptoProvider.isIBMJCEPlusFIPSAvailable()) { + protocol = Constants.PROTOCOL_TLS; + } - if (FipsUtils.isFIPSEnabled()) { - if (CryptoProvider.isIBMJCEPlusFIPSAvailable() || CryptoProvider.isOpenJCEPlusFIPSAvailable()) { - initialize(JSSEProviderFactory.getKeyManagerFactoryAlgorithm(), JSSEProviderFactory.getTrustManagerFactoryAlgorithm(), Constants.IBMJSSE2_NAME, null, - Constants.SOCKET_FACTORY_WAS_DEFAULT, null, Constants.PROTOCOL_TLS); - } - //TODO - do we want to fallback to other provider or use the JDK default provider ?? +// if (FipsUtils.isFIPSEnabled()) { +// initialize(JSSEProviderFactory.getKeyManagerFactoryAlgorithm(), JSSEProviderFactory.getTrustManagerFactoryAlgorithm(), Constants.IBMJSSE2_NAME, null, +// Constants.SOCKET_FACTORY_WAS_DEFAULT, null, Constants.PROTOCOL_TLS); +// +// //TODO - do we want to fallback to other provider or use the JDK default provider ?? +// +// } else { +// if (tc.isDebugEnabled()) { +// Tr.debug(tc, "protocol: " + Constants.PROTOCOL_SSL_TLS_V2); +// } +// initialize(JSSEProviderFactory.getKeyManagerFactoryAlgorithm(), JSSEProviderFactory.getTrustManagerFactoryAlgorithm(), Constants.IBMJSSE2_NAME, null, +// Constants.SOCKET_FACTORY_WAS_DEFAULT, null, Constants.PROTOCOL_SSL_TLS_V2); +// } - } else { - if (tc.isDebugEnabled()) { - Tr.debug(tc, "protocol: " + Constants.PROTOCOL_SSL_TLS_V2); - } + if (CryptoProvider.isIBMJCEPlusFIPSAvailable()) { initialize(JSSEProviderFactory.getKeyManagerFactoryAlgorithm(), JSSEProviderFactory.getTrustManagerFactoryAlgorithm(), Constants.IBMJSSE2_NAME, null, - Constants.SOCKET_FACTORY_WAS_DEFAULT, null, Constants.PROTOCOL_SSL_TLS_V2); + Constants.SOCKET_FACTORY_WAS_DEFAULT, null, protocol); } if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) { - Tr.debug(tc, "Created an IBM JSSE provider"); + Tr.debug(tc, "Created an IBM JSSE provider with protocol " + protocol); } } diff --git a/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/SunJSSEProvider.java b/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/SunJSSEProvider.java index 51854c721b6..955b6ecb9f6 100644 --- a/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/SunJSSEProvider.java +++ b/dev/com.ibm.ws.ssl/src/com/ibm/ws/ssl/provider/SunJSSEProvider.java @@ -4,7 +4,7 @@ * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at * http://www.eclipse.org/legal/epl-2.0/ - * + * * SPDX-License-Identifier: EPL-2.0 * * Contributors: @@ -17,6 +17,7 @@ import com.ibm.websphere.ras.TraceComponent; import com.ibm.websphere.ssl.Constants; import com.ibm.websphere.ssl.JSSEProvider; +import com.ibm.ws.crypto.common.FipsUtils; import com.ibm.ws.ssl.JSSEProviderFactory; /** @@ -24,7 +25,7 @@ *

* This is the SunJSSE JSSEProvider implementation used for the pluggable client. *

- * + * * @author IBM Corporation * @version WAS 7.0 * @since WAS 7.0 @@ -37,10 +38,16 @@ public class SunJSSEProvider extends AbstractJSSEProvider implements JSSEProvide */ public SunJSSEProvider() { super(); + String protocol = Constants.PROTOCOL_SSL; + if (FipsUtils.isFIPSEnabled() && FipsUtils.isSemeruFips()) { + protocol = Constants.PROTOCOL_TLS; + } + initialize(JSSEProviderFactory.getKeyManagerFactoryAlgorithm(), JSSEProviderFactory.getTrustManagerFactoryAlgorithm(), Constants.SUNJSSE_NAME, null, - "com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl", null, Constants.PROTOCOL_SSL); + "com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl", null, protocol); + if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) { - Tr.debug(tc, "Created a Sun JSSE provider"); + Tr.debug(tc, "Created a Sun JSSE provider with protocol " + protocol); } }