search cancel

Details on install of JSafe JCE jar files : cryptoj.jar and cryptojFIPS.jar on CA Access Gateway (formerly Secure Proxy Server)

book

Article ID: 42192

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Introduction/Summary: 

CA Access Gateway (formerly Secure Proxy Server) deploys several  cryptoj.jar and cryptojFIPS.jar files this article explains how they are used and how to configure them to allow FIPS complaint and non-compliant algorithms. 

Background:  

The FIPS 140-2 is a US government computer security standard specifying accredited cryptographic modules for use by US government agencies. The compliance level is also used as a benchmark by many non US government and non-government agencies. 

Many java components within CA Single Sign On use the BSAFE crypto.jar from RSA Security including CA Secure Gateway.

Depending on the environment a CA Secure Gateway (formerly Secure Proxy Server) deployment needs to handle SSL connections to backends in either :

  • A FIPS compliant mode, where restricted list of algorithms are used. 
  • A NON_FIPS mode, where older backend servers are used and non FIPS compliant algorithms are used.  

 

Environment:  

All (windows, linux, solaris) 

Instructions: 

SPS installs multiple instances of crpytoj.jar 

A default install CA Secure Gateway contains several BSAFE cryptoj.jar deployments : 

<Please see attached file for image>

multiple-cryptoj.PNG

The two main instances of cryptoj.jar are : 

In secure-proxy\agentframework\java\
    cryptoj.jar - This is the standard SM SDK java client cryptoj.jar deployment (defaults to allow all algorithms) 

In secure-proxy\Tomcat\thirdparty\
    cryptojFIPS.jar - This is the instance used by proxy-engine (defaults to only FIPS compatable algorithms).

The remaining instances are not as important for the proxy-engine but do come into play if you are using those specific services.  There is an instance of cryptoj.jar in the arcot directory, and the webapp : affwebservices and SNAPSHOT versions in the session assurance webapps: authapp and uiapp.

The thirdparty/cryptojFIPS.jar is the main instance we need to be concerned with, as this sets the default implementation for the proxy-engine.    

 

Deployments prior to SPS R12.52 - allows non FIPS by default
Prior to the addition of session assurance in SPS R12.52, the cryptoj.jar was deployed into the Tomcat/thirdparty directory.  The choice of FIPS / NON FIPS supported algorithms was done via the ciphers/fipsciphers entries in server.conf file :

<Please see attached file for image>

choice-fips-server-conf.PNG

Those settings were used in conjunction with the environment variable CA_SM_PS_FIPS140 : 

 

<Please see attached file for image>

set-mode-env-fips.PNG

Then for COMPAT mode entries from ciphers or fipsciphers were acceptable, and for FIPS mode only ciphers from fipsciphers were acceptable.

This sets the algorithms that are usable in the proxy-engine for connections to backend web servers using the java httpclient module.

Deployments for SPS R12.52+ - allows only FIPS by default

With the addition of Session Assurance to SPS in R12.52 it had its own requirements for FIPS compatibility, and does not use the settings in server.conf.  So the BSAFE deployment in SPS was changed to cryptojFIPS.jar for versions after SPS R12.52.  

Unfortunately that adds an extra layer of restriction to the algorithms usable by the proxy-engine when establishing SSL connections to backend web servers.  And now by default, and independent of the settings in server.conf and environment variable CA_SM_PS_FIPS140, only FIPS compatible algorithms can be used.  


Changing the default mode for cryptoj.jar/cryptojFIPS.jar

The implementation jar files : cryptoj.jar and cryptjFIPS.jar  both contain all of the FIPS and NON FIPS algorithms the only difference is in the default of what they allow to be used - fortunately that default can also be changed. 

To override the default for cryptoj.jar / crpytojFIPS.jar you need to edit the java.security file in the JDK/JRE deployment and add the setting : 

     com.rsa.crpytoj.fips140initialmode=NON_FIPS140_MODE


<Please see attached file for image>

allow-non-fips-mode.PNG

 

Values for cryptoj.jar fips140 initialmode :

Useful values for com.rsa.cryptoj.fips140initialmode are : 

com.rsa.cryptoj.fips140initialmode=FIPS140_MODE:  FIPS140-2 approved. 

com.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE:  Not FIPS140-2 approved.

com.rsa.cryptoj.fips140initialmode=FIPS140_SSL_MODE:  Provides the same algorithms as CryptoJ.FIPS140_MODE, plus the MD5 message digest.  This mode can be used in the context of the key establishment phase in the TLSv1, TLSv1.1 and TLSv1.2 protocols.

There are also : FIPS140_ECC_MODE and  FIPS140_SSL_ECC_MODE but these should not be used as they enable Elliptic Curve Asymmetric Encryption Schemes, that have known problems. 


Take care to update both instances of the file java.security 

Generally with SPS installs there is both a SDK and JRE installation, and the SDK has its own deployed JRE in a subdirectory. The trick is that there are then two java.security files.   Technically you only need to update the one that is being used, but it is good practice to update both, then you will be sure the default you want is in effect. 

<Please see attached file for image>

two-java-security.PNG

So the two locations of the java.security file that you need to update will be something like : 

    <Java>\jdk1.7.0_51\jre\lib\security\java.security
    <Java>\jre7\lib\security\java.security 

 

Additional Information:

FIPS 140-2 
https://en.wikipedia.org/wiki/FIPS_140-2

RSA BSAFE Crypto-J 5.0 and 5.0.1 : Security Policy Level 1
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1502.pdf

Configure CA SiteMinder SPS to User FIPS
https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/upgrading/configure-ca-siteminder-sps-to-use-fips

RSA Security
https://www.rsa.com/en-us

Problems with Elliptic Curve Asymmetric Encryption
http://www.wired.com/2013/09/nsa-backdoor/

 

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Attachments

1558721719870000042192_sktwi1f5rjvs16w6g.png get_app
1558721717867000042192_sktwi1f5rjvs16w6f.png get_app
1558721715528000042192_sktwi1f5rjvs16w6e.png get_app
1558721713895000042192_sktwi1f5rjvs16w6d.png get_app
1558721711814000042192_sktwi1f5rjvs16w6c.png get_app