Manualshelf

Reference Guide

ManualsBrandsDell ManualsBSAFEBSAFE SSL-J
12345678910
2 Best Practice for SSL-J FIPS 140-2 Compliance
RSA BSAFE SSL-J 6.2.6 Security Best Practices Guide
Best Practice for SSL-J FIPS 140-2 Compliance
SSL-J allows TLS protocols to be used in a FIPS 140-2 compliant manner. It is
designed to be integrated into client applications using the Java JSSE and JCE
cryptographic provider frameworks, or using the proprietary SSLJ API.
For SSL-J and its encompassing system to be FIPS 140-2 compliant, the following
requirements must be met:
SSL-J must use a FIPS 140-2 validated cryptographic module, the RSA BSAFE
Crypto-J (Crypto-J) Java Crypto Module (JCM), for all cryptographic operations.
Only FIPS 140-2 approved algorithms can be used by SSL-J and by the
encompassing application.
The exceptions to this include:
MD5 which is allowable when used in TLS 1.0 and TLS 1.1 connections.
JKS. Storing certificates in JKS is allowable as no cryptography is used.
Storing private keys in JKS is allowable if the JCM is used correctly. That is,
if:
the JsafeJCE provider is registered as the default, so it is used by JKS
the appropriate key sizes are used
the Security Policy requirements are fulfilled
Note: If the application is going to be separately validated (NIAP
protection profile or UCAPL), the usage must be assessed on a case
by case basis. In this case, we recommend using PKCS #12 keystores,
as this removes any potential issue for the application validation.
The above requirements hold true for all operations performed by the application
and services provided by the application.
Complete the following actions to ensure that SSL-J is used in a FIPS 140-2 compliant
manner:
For all cryptographic operations, always explicitly ask for the Crypto-J or SSL-J
providers,
com.rsa.jsafe.provider.JsafeJCE or
com.rsa.jsse.JsseProvider, and use these to provide cryptographic and
TLS implementations. Do not ask for the default implementation.
Remove all other cryptographic providers from the
java.security provider
list. The provider list should only contain entries for Crypto-J and SSL-J.
Ensure only cipher suites allowed by FIPS 140-2 are enabled.
Use TLS protocol version 1.0, 1.1 or 1.2.