Chapter 18 Using the SSL Protocol : Enabling FIPS Compliance

Enabling FIPS Compliance
You can enable TIBCO Enterprise Message Service to run in compliance with Federal Information Processing Standard (FIPS), Publication 140-2.
Enabling the EMS Server
The EMS server supports FIPS compliance only on Windows, Linux, and Solaris 10 (x86) platforms. On UNIX, only tibemsd64, the 64-bit version of the server, is supported. No 32-bit support is provided.
To enable FIPS 140-2 operations in the EMS server:
Set the fips140-2 parameter in the main configuration file to true.
When fips140-2 is enabled, on start-up the EMS server initializes in compliance with FIPS 140-2. If the initialization is successful, the EMS server prints a message indicating that it is operating in this mode. If the initialization fails, the server exits (regardless of the startup_abort_list setting).
Incompatible Parameters
In order to operate in FIPS compliant mode, you must not include these parameters in the tibemsd.conf file:
These parameters cannot be included in the routes.conf file:
Enabling EMS Clients
Java and C client applications can operate in FIPS compliance:
Java Clients  Java clients that use the Entrust implementation of SSL, rather than the JSSE that is included with EMS, can operate in FIPS 140-2 complaint mode.
To enable FIPS 140-2 operations in the Java client:
Set the com.tibco.security.FIPS property to true before calling any EMS methods.
Download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JDK installation. These files are available on the Sun Microsystems website.
For more information about using Entrust, see Configuring SSL in EMS Clients.
C Clients  C clients that link to the dynamic EMS libraries can operate in FIPS 140-2 compliant mode. FIPS compliance is not available with static libraries.
To enable FIPS 140-2 operations in the C client, use compliant OpenSSL libraries, and initialize the libraries to enable FIPS 140-2 operations before calling any EMS functions.
C libraries support FIPS compliance only on Windows, Linux, and Solaris 10 (x86) platforms. On UNIX, only the 64-bit C libraries are supported. No 32-bit support is provided.