Resolved from core fix pack 2IBM Tivoli Netcool/OMNIbus, Version 7.4

Configuring the server components for SP800-131 enhanced encryption

You can configure SP800-131 enhanced encryption in the FIPS configuration file to enforce TLS 1.2 encryption for the server components that support FIPS 140-2 mode.

Before you begin

You must configure FIPS 140-2 mode before you can configure SP800-131 enhanced encryption. If you are using Java components, you must also configure the JRE for FIPS 140–2 mode.

Procedure

  1. Open the FIPS configuration file for editing. The FIPS configuration file is in the following directory:
    • For UNIX operating systemFor Linux operating system$NCHOME/etc/security/fips.conf
    • For Windows operating system%NCHOME%\ini\security\fips.conf
  2. Add the following parameters to the fips.conf file:
    • SP800_131MODE=TRUE

      This parameter enables TLS 1.2.

      For Java components, this parameter also enables JSSE2 SP800-131 support ("transition" SP800-131 encryption). When both the SP800_131MODE and STRICT_CERTIFICATE_CHECK parameters are set to TRUE, "strict" SP800-131 encryption is enabled for Java.

    • TLS12_ONLY=TRUE

      This parameter disables all protocols except TLS 1.2. Use this setting only when the SP800_131MODE parameter is set to TRUE.

    • SHA2_CERTIFICATES_ONLY=TRUE

      This parameter enables TLS 1.2 Signature and Hash Algorithm Restrictions. Only server certificates that meet the restrictions are accepted. This parameter has no effect on Java components unless the STRICT_CERTIFICATE_CHECK parameter is also set to TRUE.

    • STRICT_CERTIFICATE_CHECK=TRUE

      This parameter enforces TLS 1.2 Signature and Hash Algorithm Restrictions on all certificates in the chain. Use this setting only when the SP800_131MODE and SHA2_CERTIFICATES_ONLY parameters are also set to TRUE.

      For Java components, use this setting only when the SP800_131MODE, TLS12_ONLY, and SHA2_CERTIFICATES_ONLY parameters are also set to TRUE.

Example

The following example shows how the parameters are listed in the FIPS configuration file. You can omit parameters that are not required by your operating environment.
SP800_131MODE=TRUE
TLS12_ONLY=TRUE
SHA2_CERTIFICATES_ONLY=TRUE
STRICT_CERTIFICATE_CHECK=TRUE

What to do next

If you set the SHA2_CERTIFICATES_ONLY or STRICT_CERTIFICATE_CHECK parameter, or both, to TRUE, you must use a key size and signing algorithm that is permitted by NIST SP800-131 when you generate or sign certificates with the nc_gskcmd certificate and key management utility.

For example, if you run nc_gskcmd with the -cert -create or -certreq -create command-line options, use the -size option to specify a key size of 2048 and the -sig_alg option to specify the SHA512_WITH_RSA signing algorithm.

If you run nc_gskcmd with the -cert -sign command-line option, use the -sig_alg option to specify the SHA512_WITH_RSA signing algorithm.

Parent topic: Configuring FIPS 140–2 support for the server components
Related reference:
Configuring the JRE for FIPS 140–2 mode (UNIX and Linux)
Configuring the JRE for FIPS 140–2 mode (Windows)
nc_gskcmd command-line options