WebSphere eXtreme Scale security standards

[Version 8.6.0.5 and later]You can configure the product with TLS transport protection that complies with several security standards.

Federal Information Processing Standard (FIPS) 140-2 provides for certification of cryptography modules. The National Institute of Standards and Technology (NIST) has defined a standard for levels of protection with TLS, which is defined in Special Publications 800-131a (SP800-131a). Two levels of protection are defined, transition and strict. See The National Institute of Standards and Technology website for more information on the FIPS 140-2 and SP800-131a standards.

WebSphere® eXtreme Scale uses the security capabilities of the IBM® Java™ Runtime Environment (JRE) to support these standards. This JRE includes cryptographic modules which have been certified as FIPS 140-2 compliant. If you want to use FIPS encryption, and you run with Java 6, then you must use Java 6 SR15 or higher.

You can also configure Java virtual machines (JVMs) running WebSphere eXtreme Scale so that TLS is implemented in compliance with the SP800-131a at either the transition or strict levels when running with the eXtremeIO (XIO) transport. It is possible to use FIPS compliant cryptography from the IBM JRE while supporting SP800-131a at either the transition or strict levels. To configure FIPS 140-2, see Configuring WebSphere eXtreme Scale to use FIPS 140-2.

SP800-131a transition mode requires that the TLS handshake be TLSv1 or later. The SSLv3 handshake protocol is not permitted by the standard. SP800-131a transition also has requirements for the certificates to be used. When you configure a keystore to be used by eXtreme Scale in SP800-131a transition mode, the certificate key must be at least 1024 bits for RSA or DSA keys, or at least 160 bits for Elliptical Curve (EC) keys. If a non-compliant certificate is specified, TLS communication will not work. The signature algorithm for the certificate must be one of the following:
  • SHA1withDSA
  • SHA256withDSA
  • SHA1withRSA
  • SHA256withRSA
  • SHA384withRSA
  • SHA512withRSA
  • SHA1withECDSA
  • SHA256withECDSA
  • SHA384withECDSA
  • SHA512withECDSA
SP800-131a strict mode requires that the TLS handshake be TLSv1.2. Other handshake protocols are not permitted by the standard. Not all web browsers support TLSv1.2, and those that do may require specific configuration steps to enable it. At this time, current levels of Microsoft Internet Explorer and Google Chrome do support TLSv1.2, although specific configuration steps may be required to enable this support. If you enable the eXtreme Scale monitoring console to run in SP800-131a strict mode, you must be sure to use a browser that supports TLSv1.2. SP800-131a strict mode also further restricts the certificates to be used. When you configure a keystore to be used by eXtreme Scale in SP800-131a strict mode, the certificate key must be at least 2048 bits for RSA or DSA keys, or at least 224 bits for EC keys. The signature algorithm for the certificate must be one of the following:
  • SHA256withDSA
  • SHA256withRSA
  • SHA384withRSA
  • SHA512withRSA
  • SHA256withECDSA
  • SHA384withECDSA
  • SHA512withECDSA
Restriction: You can use FIPS data encryption with the TLSv1 protocol only.

SP800-131a transition and strict modes also specify which TLS cipher suites are permitted in each mode. A compliant cipher suite will be negotiated by the TLS exchange when the product JVM is configured in one of these modes. For more information about configuring SP800-131a compliance, see Configuring WebSphere eXtreme Scale to use NIST SP800-131a.

Properties used to enable the security standards

The IBM virtual machine for Java (JVM) runs in a given security mode based on system properties. When you start a WebSphere eXtreme Scale catalog or container server running standalone, you set these system properties according to the FIPS 140-2 and SP800-131a mode you need.

Table 1. JVM system properties to enable the security standard
Security standard System property to enable Valid values
FIPS 140-2 com.ibm.jsse2.usefipsprovider=true true or false
SP800-131-transition com.ibm.jsse2.sp800-131=transition transition or strict
SP800-131-strict com.ibm.jsse2.sp800-131=strict strict
Tip: If you need to disable SP800-131a support, for troubleshooting for example, then you can set the following security argument: com.ibm.jsse2.sp800-131=off.

When you start a WebSphere eXtreme Scale catalog or container within the WebSphere Application Server process, it inherits the FIPS 140-2 setting, the SP800-131a setting, or both for that WebSphere Application Server process.