The WebSphere Application Server must use FIPS 140-3-approved encryption modules when authenticating users and processes.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-283677 | SRG-APP-000179-AS-000129 | WBSP-AS-001770 | SV-283677r1193276_rule | 2026-02-26 | 2 |
Description
Encryption is only as good as the encryption modules in use. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application server and client. FIPS 140-3-approved TLS versions include TLS V1.0 or greater.
TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
ℹ️ Check
Note: If FIPS 140-2 is configured in WBSP-AS-001290, this is not applicable. This is allowed until 21 September 2026. If FIPS 140-2 is still in use after this date, this is a finding.
From administrative console, click Security >> SSL certificate and key management >> Manage FIPS.
If "Enable FIPS 140-3" is not selected, this is a finding.
✔️ Fix
Implementation for Cell Profile (Network Deployment):
1. Back up the existing configuration:
backupConfig.sh <backup_directory>
2. Stop all servers except the deployment manager:
- Stop all node agents and application servers.
- Keep only the deployment manager running.
3. Enable FIPS 140-3.
Option A - Using Administrative Console:
1. Click Security >> SSL certificate and key management >> Manage FIPS.
2. Select "Enable FIPS 140-3".
3. Click "Apply".
Option B - Using Admin Command:
AdminTask.enableFips('[-enableFips true -fipsLevel FIPS140-3 ]')
1. Stop the deployment manager.
2. Restart the deployment manager.
3. Synchronize nodes. On each node, run:
syncNode.sh <dmgr_host> <dmgr_port>
4. Start node agents and servers
Implementation for Standalone Profile:
1. Back up the existing configuration:
backupConfig.sh <backup_directory>
2. Enable FIPS 140-3.
Option A - Using Administrative Console:
1. Click Security >> SSL certificate and key management >> Manage FIPS.
2. Select "Enable FIPS 140-3".
3. Click "Apply".
Option B - Using Admin Command:
AdminTask.enableFips('[-enableFips true -fipsLevel FIPS140-3 ]')
For both methods, restart the application server.