000014011 - FIM - Encryption Algorithms Q&A

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014011
Applies ToRSA Federated Identity Manager (FIM) 4.x
IssueFIM - Encryption Algorithms Q&A
Questions concerning FIM encryption algorithms

1. Can FIM be configured so that a particular SSO connection can use one encryption algorithm versus another?  For example, if we are acting as an IDP and one client requires TRIPLE DES encryption and another client requires AES 256, can FIM be configured to support this scenario?

RSA Response:
This is a system wide setting.   Whenever FIM on your side encrypts data to send it will be of  the one algorithm chosen. All partners/receivers will know what algorithm was used as it is marked in the xml of the assertion or name identifier. All receivers must be able to accept any of the three algorithms chosen. Encrypted data and what algorithm is used is dependent upon the xml statements used in an assertion, metadata etc.
For example
  <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/>
  <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc'/>

2. Does FIM support additional encryption algorithms other than the TRIPLE DES, AES128, and AES 256? If so,  how do we accomplish this?

RSA Response:
No, only the three specified.  We will accept any encrypted data from partners if it is done with any of the three algorithms regardless of the system setting. The system setting is for what we send. We will accept any of the three.

General Info:
The federation protocols that Federated Identity Manager supports require encryption algorithms that are not available in the default weblogic application server environment. To implement these encryption algorithms, you must install and configure either the Crypto-J 4.0 FIPS security provider or the BouncyCastle security provider.

? Crypto-J 4.0 FIPS: jsafeJCEFIPS.jar
? BouncyCastle: bcprov-jdk14-134.jar

Federated Identity Manager uses the encryption algorithm to encrypt assertions and name identifiers. Federated Identity Manager only supports AES 128, AES 256, and triple DES. If you want to use AES-256 for encryption, you must download the JCE Unlimited Strength Jurisdiction Policy files provided with the Sun JDK 1.4.2.

Legacy Article IDa51912