Unconfiguring the FIPS provider
To unconfigure the FIPS provider, reverse the changes that you made in Configuring WebSphere Application Server for FIPS. After you reverse the changes, verify that you have made the following changes to the ssl.client.props, soap.client.props, and java.security files:
- In the ssl.client.props file, change the com.ibm.security.useFIPS value to false.
- In the java.security file, change the FIPS provider to a non-FIPS provider.
- If you are using the SDK java.security file, change the first provider to a non-FIPS provider as shown in the following example:
#security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.1=com.ibm.crypto.provider.IBMJCE security.provider.2=com.ibm.jsse.IBMJSSEProvider security.provider.3=com.ibm.jsse2.IBMJSSEProvider2 security.provider.4=com.ibm.security.jgss.IBMJGSSProvider security.provider.5=com.ibm.security.cert.IBMCertPath #security.provider.6=com.ibm.crypto.pkcs11.provider.IBMPKCS11
- If you are using the Oracle JDK java.security file, change the third provider to a non-FIPS provider as shown in the following example:
security.provider.1=sun.security.provider.Sun security.provider.2=com.ibm.security.jgss.IBMJGSSProvider #security.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS security.provider.3=com.ibm.crypto.provider.IBMJCE security.provider.4=com.ibm.jsse.IBMJSSEProvider security.provider.5=com.ibm.jsse2.IBMJSSEProvider2 security.provider.6=com.ibm.security.cert.IBMCertPath #security.provider.7=com.ibm.crypto.pkcs11.provider.IBMPKCS11
- This step applies only if you added the default JSSE socket factories parameters to the SDK java.security file as described in Configuring DB2 for FIPS. If you added them, remove the following parameters:
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl