Provisioning Reference Guide › SPML Service › SPML Support for FIPS 140-2

SPML Support for FIPS 140-2

The SPML server is FIPS 140-2 compliant. We recommend deploying the SPML service on:

• Apache Tomcat Server 4.1.36 or a higher version of 4.1
• JDK 1.5.11 or a higher version of JDK 1.5. Note that Tomcat must be enabled to run in SSL mode. For details, see the Apache's administrator guide for Tomcat 4, (http://jakarta.apache.org/tomcat/) section “SSL Configuration HOW-TO.”

If you use CA Tomcat instead of Apache Tomcat, CA Identity Manager requires these workarounds for SPML:

• If you are using JDK 1.4.xx with CA Tomcat, FIPS 140-2 must be disabled. JDK 1.4.xx is incompatible with CA Tomcat because the RSA Jsafe CryptoJ 4.0 library needed for FIPS 140-2 support cannot be placed as the first security provider in JDK1.4.

  To disable FIPS 140-2 support, pass the JVM flag “-Dcom.ca.commons.security.fips=false” during Tomcat start up.

  • If you are running Tomcat from the command line, you can include the JVM flag catalina.bat. More details exist in the batch file itself.
  • If you are running Tomcat as windows service, pass the flag as follows:
    1. Using the registry editor, navigate to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CA Tomcat 4.1.29 eTrustIAMWebServer\Parameters”
    2. Add a String Value called “JVM Option Number n” where 'n' is the number following on from the previous JVM parameter. For the value, specify:

       Dcom.ca.commons.security.fips=false

    3. Increase by one the value of Edit DWORD Value “JVM Option Count” to account for the newly added parameter.
• If you are using JDK 1.5 with CA Tomcat, an incompatibility problem exists. To work around this problem:
  1. Manually remove the two Xerces libraries (xercesImpl.jar and xmlParserAPIs.jar) from %TOMCATHOME%\common\endorsed.
  2. Restart Tomcat.