t-koman
commented
1 year ago Salesforce update reads From WAS: L3 DOC, We will use cumulative DOC APAR PH53045 and ID# 6497 to make updates to documentation. Specifically, We will update Open Liberty topic: https://openliberty.io/docs/latest/enable-fips.html
We will add to the first paragraph in the section entitled, Enable FIPS for Open Liberty on IBM Semeru Runtimes, the following sentence:
Certificates in your file-based keystores must be imported into the NSS database.
The editing to provide the update to the documentation is targeted to complete on 04/07/2023. This particular update will appear in the external Open Liberty documentation at a later date.
Please supply a PROBLEM DESCRIPTION that describes the situation that caused the need to update the documentation. This PROBLEM DESCRIPTION is used to formulate closing text in the DOC apar.
Per process, WAS L3: DOC is re-assigning this skill case to WAS: L2 SEC so as to reach a final disposition with the customer. thanks, Tom
dmuelle
Please describe the problem you are having with the documentation. Is information missing, inaccurate, or unclear? Tell us about the context where you encountered the problem so we can understand how to address it.
This request is for the first paragraph of "Enable FIPS for Open Liberty on IBM Semeru Runtimes" below.
You can enable either IBM Semeru Runtime Certified Edition or Open Edition in FIPS mode in version 11.0.16 and later for Java 11 and version 17.0.4 and later for Java 17. Java 11 and 17 support for FIPS with Semeru Runtimes is available only on Red Hat Enterprise Linux (RHEL) 8 on x86 platforms. The RHEL 8 operating system must be running in FIPS mode because the IBM Semeru Runtimes rely on the operating system’s underlying Network Security Services (NSS) FIPS 140-2 certification. To run Open Liberty on IBM Semeru Runtimes in FIPS mode, Open Liberty version 22.0.0.8 or later is recommended. In FIPS mode, Semeru Runtimes does not support file-based keystores like JKS and PKCS#12. Certificates in your file-based keystores must be imported into the NSS database.
We would like the following one line added at the end:
Open Liberty does not create certificates in the NSS database.
The current documentation in bold may be sufficient but there was a customer who believed that Open Liberty would create necessary certificates in the NSS database, and wanted to see it explicitly mentioned. @acdemyers and I worked on the customer issue, and agree to add this one line to catch customers' eyes.