The National Institute of Standards
and Technology (NIST) published Special Publications 800-131a (SP800-131a),
which defines a standard for levels of data protection with transport
layer security (TLS). Complete the steps in this task to configure
NIST SP800-131a in WebSphere® eXtreme Scale.
Before you begin
To configure a WebSphere eXtreme Scale server
to run in SP800-131a mode, you must be running with a level of the
IBM JDK that supports SP800-131a. The minimal levels of the IBM JDK
include Java 6 SR10, Java 6.0.1 SR2, or Java 7. If you want to use FIPS encryption, and you run with Java 6, then you must use
Java 6 SR15 or higher.
About this task
The SP800-131a specification requires longer key lengths
and stronger cryptography. It provides two modes, transition and strict,
which allow you to move to a strict enforcement of SP800-131a or to
use the transition mode first, if needed. You can use FIPS-compliant
cryptography from the Java Runtime Environment (JRE) that IBM provides
and support SP800-131a at the transition level. To configure FIPS
140-2, see
Configuring WebSphere eXtreme Scale to use FIPS 140-2.
Restriction: You can use FIPS data encryption with the TLSv1 protocol
only.
Procedure
- Edit the Secure Sockets Layer (SSL) configuration in the
security server properties file for the catalog server and container
servers to use the a valid protocol for SP800-131a support.
These
files must contain the following properties and values:
contextProvider=IBMJSSE2
transportType=SSL-Required
SP800-131=transition|strict
For SP800-131a transition
mode, you can set the
protocol property to
TLS
,
TLSv1
,
or
TLSv1.2
; for example:
protocol=TLSv1
For
SP800-131a strict mode, set the
protocol property
to
TLSv1.2
, which is the only valid value for strict
mode; for example:
protocol=TLSv1.2
For
more information about the security server properties, see Server properties file.
See the following
example of an SSL configuration from a server properties file that
includes support for SP800-131a strict mode:
#------------------------------------------------------------------------------
# Transport Layer Security Configuration
#
# SSL-Supported is supported since 6.1.0.3, and SSL-Required is supported since 6.1.0.5
#
# This is also where you enable SSL client certificate authentication.
#
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Set the transport this server supports. The possible values are:
# TCP/IP : the server only supports TCP IP connection..
# SSL-Supported* : the server supports both TCP/IP and SSL connections.
# SSL-Required : the server only supports SSL connections.
#
# The default value is SSL-Supported.
#
# Uncomment this property to set the transport type.
#------------------------------------------------------------------------------
#transportType =SSL-Required
#------------------------------------------------------------------------------
# SSL Configuration
#
# - alias (alias name in the key store)
# - contextProvider (IBMJSSE2, IBMJSSEFIPS, etc.)
# - protocol (SSL, SSLv3, TLS, TLSv1, TLSv1.2)
# - keyStoreType (JKS, JCEK, PKCS12, etc.)
# - trustStoreType (JKS, JCEK, PKCS12, etc.)
# - keyStore (fully qualified path to key store file)
# - trustStore (fully qualified path to trust store file)
# - alias (string specifying ssl certificate alias to use from keyStore)
# - keyStorePassword (string specifying password to the key store - encoded or not)
# - trustStorePassword (string specifying password to the trust store - encoded or not)
# - clientAuthentication (set to be true when server needs to authenticate/trust the client. Set to be false if using C# clients)
# - SP800-131 (specifies the SP800-131a mode that is in use for data protection.)
# Uncomment these properties to set the SSL configuration.
#------------------------------------------------------------------------------
#alias=serverprivate
#contextProvider=IBMJSSE2
#protocol=TLSv1.2
#keyStoreType=JKS
#keyStore=etc/test/security/server.private
#keyStorePassword=serverpw
#trustStoreType=JKS
#trustStore=etc/test/security/client.public
#trustStorePassword=public
#clientAuthentication=false
#SP800-131=strict
- Configure a keystore with a certificate and key pair that
complies with the SP-800-131a mode that is used.
When
you configure a keystore to be used by
eXtreme Scale in SP800-131a transition
mode, the minimum key length is 1024 bits for RSA or DSA and at least
160 bits for Elliptical Curve (EC) keys. The signature algorithm for
the certificate must be one of the following algorithms:
- SHA1withDSA
- SHA256withDSA
- SHA1withRSA
- SHA256withRSA
- SHA384withRSA
- SHA512withRSA
- SHA1withECDSA
- SHA256withECDSA
- SHA384withECDSA
- SHA512withECDSA
When you configure a keystore to be used by
eXtreme Scale in SP800-131a strict
mode, the certificate key must be at least 2048 bits for RSA or DSA
keys, or at least 224 bits for EC keys. The signature algorithm for
the certificate must be one of the following algorithms:
- SHA256withDSA
- SHA256withRSA
- SHA384withRSA
- SHA512withRSA
- SHA256withECDSA
- SHA384withECDSA
- SHA512withECDSA
- Restart your catalog and container servers.
When
you start the catalog servers and container servers, you must either
specify the following Java virtual machine (JVM) arguments, or set
the
SP800-131 option in the security server properties
file. If the
SP800-131 property is set, and the
-Dcom.ibm.jsse2.sp800-131 argument
is configured when you start the server, the JVM setting overrides
the
SP800-131 option that is configured in the security
server properties.
- For SP800-131a transition mode, specify the -Dcom.ibm.jsse2.sp800-131=transition JVM
argument when you start the server.
- For SP800-131a strict mode, specify the -Dcom.ibm.jsse2.sp800-131=strict JVM
argument when you start the server.
Note: When WebSphere eXtreme Scale is
configured to run with the ORB transport, you cannot configure SSL
to use both SP800-131a data protection and FIPS encryption concurrently.
For ORB transport, you can configure FIPS 140-2 or SP800-131a compliance,
but not both at the same time. Running with both security standards
is only allowed when eXtreme Scale is
configured to run with the eXtremeIO (XIO) transport.
For
more information, see
Starting and stopping secure servers.