Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 12 HTTP, HTTPS, and HTTPSCA Transports : FIPS Mode Support

FIPS Mode Support
The Federal Information Processing Standard (FIPS 140-2) is a standard that specifies enhanced security requirements for complying applications.
To support the FIPS mode, you can configure TIBCO BusinessConnect as follows:
TIBCO Administrator
For the inbound HTTPS transports, set the bc.security.restrictVersion property to TLSv1 in System Settings > Activated Protocol Plug-ins and Properties > BC.
For the outbound HTTPS transports configured on partners, clear the Can Use SSLv3 check box. Also, you are required to upload the certificate with the proper Subject Common Name or Subject Alternative Name, as the host name gets verified in the FIPS mode.
For the intercomponent and secured private process JMS transports, the Verify JMS Server flag must be set. In addition, the following configuration is required in the EMS server factories.conf file for the SSL connection factories. The following displays the configuration for the EMS sample certificates in which use the appropriate values for ssl_trusted and ssl_expected_hostname.
 
[SSLQueueConnectionFactory]
type = queue
url = ssl://7243
ssl_verify_host = enabled
ssl_trusted = ../samples/certs/server_root.cert.pem
ssl_expected_hostname = server
 
[SSLTopicConnectionFactory]
type = topic
url = ssl://7243
ssl_verify_host = enabled
ssl_trusted = ../samples/certs/server_root.cert.pem
ssl_expected_hostname = server
Interior Server
You are required to set the following properties in one or more deployed engines' tra files:
java.property.TIBCO_SECURITY_VENDOR=bcfips
java.property.org.bouncycastle.rsa.allow_multi_use=true
Gateway Server
You can set the desired FIPS compliant ciphers as comma separated list in the gsengine. tra files as follows:
java.property.https.cipherSuites=<comma separated list>
For more details about the algorithms supported in FIPS, see https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf
The actual cipher names should be as per Java specifications. For more information about the ciphers supported by Java 8, see Cipher Suites section in https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
Configuring Internal Key and Certificates for FIPS
The large file transfer (DDTP) and monitoring (JMX) channels use a secure SSL connection and the key/certificates are created during installation without any user intervention. However, due to the mandatory host name verification done for FIPS, in order to match the generated certificate subject name with all the deployed Gateway engine host names perform the following steps:
1.
2.
3.
The property value for bc.gs.cert.fqdn property can be a comma separated list of IP addresses, host names, wildcard domain names, or the combination of all three.
For example,
bc.gs.cert.fqdn=10.0.2.15,10.0.2.16
bc.gs.cert.fqdn=host.abc.com
bc.gs.cert.fqdn=*.abc.com,10.0.2.16
The values should match the canonical host name of one or more Gateway Server machines. This can be seen in the Gateway Server instances page after the Gateway Server runs in the normal mode.
Typically, it is fully qualified hostname, which should suffice the wildcard domain name. In development environments, where the virtual machines that do not have a fully qualified host names are used, the explicit IP address or hostname is required.
 

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved