FIPS 140-2 Compliance
webMethods Integration Server Version 9.0 and later embeds the Entrust Authority Security Toolkit for Java 8 and BouncyCastle library, which has obtained FIPS 140-2 validation. FIPS (Federal Information Processing Standards) provides standards for information processing for use within the Federal government. The policy for Version 8 is available at the following:
Many government and financial organizations require that their software be FIPS 140-2 compliant, which follows the current standards and guidelines for cryptographic information processing.
Note:
Integration Server itself is not considered to be FIPS 140 certified.
Running Integration Server in FIPS 140-2-compliant mode ensures that it only uses FIPS compliant algorithms in the FIPS compliant modes. You can enable FIPS mode by setting the following extended setting on the Integration Server:
watt.security.fips.mode=true
Refer to
Server Configuration Parameters for a detailed description of this server configuration parameter. Also, refer to
Working with Extended Configuration
Settings for instructions on viewing and updating extended settings for the
Integration Server.
In addition to running the server in FIPS compliant mode, you must follow the other instructions in the Entrust Cryptographic Module Security Policy and BouncyCastle FIPS Compliance Security Policy. The instructions include implementing safeguards such as not allowing multiple users to access the computer and ensuring that the computer is physically protected. This information is available in the Operational Environment section of the document. Depending on your organization's policies, you might also be required to use the same hardware, operating system, and JDK as was used in the Entrust and BouncyCastle approvals.
FIPS mode encryption is only applicable to HTTPS or FTPS communications and S/MIME encryption/signing. FIPS Entrust encryption/signing is used for HTTPS or FTPS and FIPS BouncyCastle encryption/signing is used for S/MIME communications.