[Version 8.6.0.5 and later]

Configuring WebSphere eXtreme Scale to use NIST SP800-131a

[Version 8.6.0.5 and later]The National Institute of Standards and Technology (NIST) published Special Publications 800-131a (SP800-131a), which defines a standard for levels of data protection with transport layer security (TLS). Complete the steps in this task to configure NIST SP800-131a in WebSphere® eXtreme Scale.

Before you begin

To configure a WebSphere eXtreme Scale server to run in SP800-131a mode, you must be running with a level of the IBM JDK that supports SP800-131a. The minimal levels of the IBM JDK include Java 6 SR10, Java 6.0.1 SR2, or Java 7.

If you want to use FIPS encryption, and you run with Java 6, then you must use Java 6 SR15 or higher.

About this task

The SP800-131a specification requires longer key lengths and stronger cryptography. It provides two modes, transition and strict, which allow you to move to a strict enforcement of SP800-131a or to use the transition mode first, if needed. You can use FIPS-compliant cryptography from the Java Runtime Environment (JRE) that IBM provides and support SP800-131a at the transition level. To configure FIPS 140-2, see Configuring WebSphere eXtreme Scale to use FIPS 140-2.
Restriction: You can use FIPS data encryption with the TLSv1 protocol only.
Remember: The procedure for configuring NIST SP800-131a support is different when WebSphere eXtreme Scale clients and servers run with WebSphere Application Server. To configure clients and servers to run with WebSphere Application Server see Configuring WebSphere eXtreme Scale for WebSphere Application Server for NIST SP800-131a.

Procedure

  1. Edit the Secure Sockets Layer (SSL) configuration in the security server properties file for the catalog server and container servers to use the a valid protocol for SP800-131a support.
    These files must contain the following properties and values: 
    contextProvider=IBMJSSE2
transportType=SSL-Required
SP800-131=transition|strict
    For SP800-131a transition mode, you can set the protocol property to TLS, TLSv1, or TLSv1.2; for example: 
    protocol=TLSv1
    For SP800-131a strict mode, set the protocol property to TLSv1.2, which is the only valid value for strict mode; for example: 
    protocol=TLSv1.2

    For more information about the security server properties, see Server properties file.

    See the following example of an SSL configuration from a server properties file that includes support for SP800-131a strict mode:
    #------------------------------------------------------------------------------
# Transport Layer Security Configuration
#
# SSL-Supported is supported since 6.1.0.3, and SSL-Required is supported since 6.1.0.5
#
# This is also where you enable SSL client certificate authentication.
#
#------------------------------------------------------------------------------

#------------------------------------------------------------------------------
# Set the transport this server supports. The possible values are:
#   TCP/IP         : the server only supports TCP IP connection..
#   SSL-Supported* : the server supports both TCP/IP and SSL connections.
#   SSL-Required   : the server only supports SSL connections.
#
# The default value is SSL-Supported.
#
# Uncomment this property to set the transport type.
#------------------------------------------------------------------------------
#transportType =SSL-Required

#------------------------------------------------------------------------------
# SSL Configuration
#
# - alias                (alias name in the key store)
# - contextProvider      (IBMJSSE2, IBMJSSEFIPS, etc.)
# - protocol             (SSL, SSLv3, TLS, TLSv1, TLSv1.2)
# - keyStoreType         (JKS, JCEK, PKCS12, etc.)
# - trustStoreType       (JKS, JCEK, PKCS12, etc.)
# - keyStore             (fully qualified path to key store file)
# - trustStore           (fully qualified path to trust store file)
# - alias                (string specifying ssl certificate alias to use from keyStore)
# - keyStorePassword     (string specifying password to the key store - encoded or not)
# - trustStorePassword   (string specifying password to the trust store - encoded or not)
# - clientAuthentication (set to be true when server needs to authenticate/trust the client. Set to be false if using C# clients)
# - SP800-131            (specifies the SP800-131a mode that is in use for data protection.)
# Uncomment these properties to set the SSL configuration.
#------------------------------------------------------------------------------

#alias=serverprivate
#contextProvider=IBMJSSE2
#protocol=TLSv1.2
#keyStoreType=JKS
#keyStore=etc/test/security/server.private
#keyStorePassword=serverpw
#trustStoreType=JKS
#trustStore=etc/test/security/client.public
#trustStorePassword=public
#clientAuthentication=false
#SP800-131=strict
  2. Configure a keystore with a certificate and key pair that complies with the SP-800-131a mode that is used.
    When you configure a keystore to be used by eXtreme Scale in SP800-131a transition mode, the minimum key length is 1024 bits for RSA or DSA and at least 160 bits for Elliptical Curve (EC) keys. The signature algorithm for the certificate must be one of the following algorithms:
    • SHA1withDSA
    • SHA256withDSA
    • SHA1withRSA
    • SHA256withRSA
    • SHA384withRSA
    • SHA512withRSA
    • SHA1withECDSA
    • SHA256withECDSA
    • SHA384withECDSA
    • SHA512withECDSA
    When you configure a keystore to be used by eXtreme Scale in SP800-131a strict mode, the certificate key must be at least 2048 bits for RSA or DSA keys, or at least 224 bits for EC keys. The signature algorithm for the certificate must be one of the following algorithms:
    • SHA256withDSA
    • SHA256withRSA
    • SHA384withRSA
    • SHA512withRSA
    • SHA256withECDSA
    • SHA384withECDSA
    • SHA512withECDSA
  3. Restart your catalog and container servers.
    When you start the catalog servers and container servers, you must either specify the following Java virtual machine (JVM) arguments, or set the SP800-131 option in the security server properties file. If the SP800-131 property is set, and the -Dcom.ibm.jsse2.sp800-131 argument is configured when you start the server, the JVM setting overrides the SP800-131 option that is configured in the security server properties.
    • For SP800-131a transition mode, specify the -Dcom.ibm.jsse2.sp800-131=transition JVM argument when you start the server.
    • For SP800-131a strict mode, specify the -Dcom.ibm.jsse2.sp800-131=strict JVM argument when you start the server.
    Note: When WebSphere eXtreme Scale is configured to run with the ORB transport, you cannot configure SSL to use both SP800-131a data protection and FIPS encryption concurrently. For ORB transport, you can configure FIPS 140-2 or SP800-131a compliance, but not both at the same time. Running with both security standards is only allowed when eXtreme Scale is configured to run with the eXtremeIO (XIO) transport.
    For more information, see Starting and stopping secure servers.