IBM Support

How to configure Rational DOORS database server and client for compliance with NIST SP 800-131A

Technote (troubleshooting)


Problem(Abstract)

How do you configure IBM Rational DOORS database server and client for compliance with NIST SP 800-131A ?

Cause

You can configure Rational DOORS database server and client to communicate over secure sockets in compliance with the NIST Special Publications 800-131A standard. That standard specifies the algorithms to use to strengthen security, and the minimum encryption strengths that are required for the algorithms.
This configuration is optional. It might have an impact on performance. It might require new certificates.

Resolving the problem

You can configure the compliance for NIST SP 800-131A on the Rational DOORS database server by entering options in the table below when starting the server at the command line, by using the doorsd command.

For example:

doorsd -sp800-131 -allowTls10And11 -allowSha1

For more information, see the help topic: Configuring the registry and using command-line switches for the Rational DOORS client.

You can configure the compliance for NIST SP 800-131A on the Rational DOORS client by entering options in the table below when starting the client at the command line, by using the doors command.

For example:

doors -sp800-131 -allowTls10And11 -allowSha1

For more information on registry settings and command-line switches for the database server, see the help topics:


The compliance can be configured as strict or transitional. In strict mode, all communication must conform to SP 800-131A. For example, a Rational DOORS server using this mode cannot authenticate users by using certificate log-in if the client is not using this mode. Strict mode requires TLSv1.2 protocol and SHA2 certificates. You can add strength to the strict mode by requiring that the full certificate chain is checked for SHA2 certificates, not just the end certificate.
Transitional mode removes some SP 800-131A requirements and allows communication with parties that use TLSv1, TLSv1.1, or TLSv1.2 protocol and SHA1 certificates.

Command line switches and registry settings
Switch/registry setting Description
-sp800-131 When used alone, this enforces strict compliance. But this can be strengthened or weakened when used with the following optional switches.
-strictSha2 This option strengthens the strict mode by requiring that the full certificate chain is checked for SHA2 certificates, not just the end certificate. For example, a Rational DOORS server that uses a SHA2 certificate that has a SHA1 root, will start in secure mode if only SP 800-131A is used, but not if both SP 800-131A and strictSha2 are specified. Note that this option will be ignored if -allowSha1 is used.
-allowSha1 This transitional mode option permits connections that are made with SHA1 certificates, in addition to SHA2.
-allowTls10And11 This transitional mode option permits connections that are made TLS v1.0 and TLS v1.1 protocols, in addition to TLS v1.2.

Document information

More support for: Rational DOORS
Configuration

Software version: 9.5.1.2

Operating system(s): Linux, Windows

Reference #: 1644280

Modified date: 30 January 2015