Configuring IBM Java FIPS 140-2 Manually

Tip: We suggest using the BouncyCastle FIPS 140-2 mode and not the IBM Java FPS mode, BouncyCastle FIPS mode is defined in the section titled: BouncyCastle FIPS 140-2.

You can enable the FIPS mode during TIBCO MFT Internet Server installation. In this case, the installer configures FIPS mode automatically and no further action is necessary. If you do not enable FIPS mode during TIBCO MFT Internet Server installation, you have to go through the required configurations to enable FIPS 140-2 manually.

Note: To enable the FIPS mode, your environment must support FIPS mode and have an IBM Java that is configured to run in FIPS mode.

For information on how to enable FIPS mode manually, see Enabling FIPS Mode Manually.

For information on how to take the MFT server out of FIPS mode, see Taking the MFT Server out of FIPS mode.

Important:

Tomcat 9 ignores any cipher suite starting with SSL. This is a problem when running on IBM Java because IBM TLS cipher suites start with SSL. The MFT Installer handles the conversion, this is only an issue if you are manually editing the cipher suites in the server.xml file.

For example:

In the server.xml file, you must enter SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384.

However, in the web.xml file, you must leave the cipher suites in the IBM format starting with SSL.