Reference Guide
6 Secure Operation of SSL-J
RSA BSAFE SSL-J 6.2.6 Security Policy
Secure Operation of SSL-J
Please refer to Secure Operation of the Module in the RSA BSAFE Crypto-J JSAFE
and JCE Software Module Security Policy documents for detailed information about
how to operate the Cryptographic Module securely, and the RSA BSAFE Crypto-J
FIPS Compliance Guide for a definition of the FIPS 140-2 modes.
The default initial mode of Crypto-J is
FIPS140_MODE. The initial mode can be
configured through the use of the
com.rsa.cryptoj.fips140initialmode
property. See the RSA BSAFE SSL-J Developers Guide for instructions to set this
property. When an SSL-J library instance context starts up, it detects the Crypto-J
FIPS 140-2 mode. If the mode is
FIPS140_MODE, the mode is set to
FIPS140_SSL_MODE.
The mode of instances of the SSL-J library can be set by passing in
FIPS140Mode
classes into the constructors of
SSLParams and JsseProvider. In this way, SSL-J
can be run in multiple modes simultaneously.
FIPS 140-2 Compliance
To use SSL-J in a FIPS 140 compliant manner all that needs to be done is:
• Use SSL-J and Cert-J with the Crypto-J FIPS 140 toolkit variant. SSL-J ships with
one toolkit variant, sslj-6.2.6.jar, and Cert-J ships with one toolkit variant,
certj-6.2.4.jar. These jar files can be used with the Crypto-J jar files.
To use SSL-J in a FIPS 140 compliant manner, sslj-6.2.6.jar, certj-6.2.4.jar, and
cryptojce-6.2.5.jar, cryptojcommon-6.2.5.jar and jcmFIPS-6.2.5.jar
1
must be the
only BSAFE Java files in the class path.
The
SSLJVersion.isFIPS140Compliant() method can be used to check
that the correct jar files are in the class path.
• Use cipher suites which use FIPS 140-defined algorithms, as described in
Introduction to the SSLJ and JSSE APIs > Supported Cipher Suites in the
RSA BSAFE SSL-J Developers Guide, and specified in the Crypto-J security
policy documents.
• Use TLS protocol version 1.0, 1.1 or 1.2.
1
jcmandroidfips-6.2.5.jar can be used instead of jcmFIPS-6.2.5.jar for Android applications.