Configuring the web console for NIST SP800-131a compliance

[Version 8.6.0.5 and later] You can configure the web console to support the National Institute of Standards and Technology (NIST) SP800-131a security standard. SP800-131a requires longer key lengths and stronger cryptography than other standards. You can run SP800-131a in two modes: transition and strict. Use the transition mode to move gradually towards a strict enforcement of SP800-131a. The transition mode allows the use of weaker keys and algorithms than strict enforcement.

Before you begin

You must configure WebSphere® eXtreme Scale for SP800-131a compliance. The console must be configured to have the same level of SP800-131a compliance as the catalog servers and container servers. For more information, see Configuring WebSphere eXtreme Scale to use NIST SP800-131a or Configuring WebSphere eXtreme Scale for WebSphere Application Server for NIST SP800-131a.
Review how to start and stop the web console. For more information, see Starting and logging on to the web console.
If you are configuring the web console with SP800-131a strict compliance, your web browser must support TLSv1.2 protocol. Although the latest versions of the Chrome, Mozilla Firefox, Microsoft Internet Explorer, and Opera browsers support TLSv1.2 protocol, it might still be necessary to configure the browser to enable this support. Refer to your browser documentation.

About this task

Edit the web console HTTPS configuration so that web browsers can connect to the console with a keystore certificate and a transport encryption protocol that support SP800-131a compliance.

Procedure

Edit the web console configuration.
Click Settings > Configuration > System.
Upload a new keystore with a certificate that complies with the SP800-131a mode that is used.
1. Click Upload new keystore to replace the default keystore certificate that is in either:
  - wxs_install_root/ObjectGrid/console/keystores
  - wxs_install_root\ObjectGrid\console\keystores
2. Specify the password for the keystore.
3. From the Certificate alias drop-down list, select the alias that is associated with your SP800-131a-compliant keystore file.
Select a valid transport protocol and an SP800-131a compliance mode. You can run SP800-131a in two modes: transition and strict. Use the transition mode to move gradually towards a strict enforcement of SP800-131a. The transition mode allows the use of weaker keys and algorithms than strict enforcement.
1. From the TLS Transport Protocol list, select one of the following transport types:
  - TLSv1 - Specifies a transport protocol version that supports only a transition mode of compliance.
  - TLSv1.2 - Specifies a transport protocol version that supports both a transition and a strict mode of compliance.
2. Depending on the transport protocol that is selected, select one of the following options from the SP800-131a Compliance list:
  - transition
  - strict
  - OFF
Restart the server to use the new transport protocol and SP800-131a compliance mode.
Important: After the web console is restarted, you might not be able to connect. There might be several reasons for this. For example, your browser might not support SP800-131a or the TLSv1.2 protocol. You can reset the HTTP settings that are configured for the web console by shutting down the console and then, renaming the wxs_install_root/ObjectGrid/console/config/https-config.config file. After the file is renamed, you can start the console once again. All previously modified HTTPS settings are cleared and reset to defaults.