Chapter 2. Planning 61
The GSKit tool is often used to manage certificates that are used for WebSEAL’s
HTTPS communication. For performance improvement, WebSEAL supports SSL
hardware acceleration. Utilizing the functionality of GSKit7, hardware
acceleration can minimize the CPU impact of SSL communications, improving
the overall performance of the system.
FIPS enablement
In Tivoli Access Manager 6.0, Federal Information Processing Standard 140-2
(FIPS 140-2) enablement is introduced. FIPS enablement means Tivoli Access
Manager uses only government-approved cryptography wherever cryptography
is required. Tivoli Access Manager uses cryptography in the following areas:
Creation and replacement of internal, self-signed certificates. These
certificates are used by Access Manager Runtime and Tivoli Access Manager
security servers to authenticate with each other.
Runtime and servers utilize a secure communication protocol to communicate
between each other.
Federal Information Processing Standard 140-2 (FIPS 140-2) is a standard that
describes U.S. Federal Government requirements that IT products should meet
for Sensitive but Unclassified (SBU) use. The standard defines the security
requirements that must be satisfied by a cryptographic module used in a security
system protecting unclassified information within IT systems. There are four
levels of security, from Level 1 (lowest) to Level 4 (highest). These levels are
intended to cover the wide range of potential applications and environments in
which cryptographic modules can be deployed. The security requirements cover
areas related to the secure design and implementation of a cryptographic
module. These areas include basic design and documentation, module
interfaces, authorized roles and services, physical security, software security,
operating system security, key management, cryptographic algorithms,
electromagnetic interference/electromagnetic compatibility (EMI/EMC), and
self-testing. For more information on FIPS 140-2, see:
http://csrc.nist.gov/cryptval/140-2.htm
Enablement of FIPS for Tivoli Access Manager is only meant to satisfy the
requirement of the Tivoli Access Manager’s cryptographic operations from an
application aspect. Tivoli Access Manager is not responsible for other products or
prerequisite products enablement of FIPS. If in FIPS mode, Transport Layer
Security version 1 (TLS v1) will be used as the secure communication protocol
instead of SSL v3. To communicate with the Tivoli Access Manager Policy
Server using a secure communication protocol, TLS is the required protocol. An
attempt to communicate using SSL v3 (non-FIPS mode) when the Policy Server
is configured in FIPS mode will result in a socket-closed exception.