Configuring NIST SP800-131a for .NET applications

[Version 8.6.0.5 and later] The National Institute of Standards and Technology (NIST) published Special Publications 800-131a (SP800-131a). The publication defines a standard for levels of data protection with transport layer security (TLS). Complete the steps in this task to configure NIST SP800-131a for .NET applications in WebSphere® eXtreme Scale.

Before you begin

The following levels of support are required to configure .NET applications for NIST SP800-131a compliance:

You must configure both catalog and container servers to support NIST SP800-131a algorithms.
For your information only, the latest required algorithms for NIST SP800-131a compliance were added to Windows 2008, Windows Vista and later such as Windows Server 2008 R2 and Windows Server 2012 R2.
The required TLSv1.1 and TLS v1.2 protocols are only supported by the .NET Framework 4.5 or later.
The .NET client supports .NET Framework 3.5 and 4.0; however, NIST SP800-131a compliance with those .NET Frameworks is not possible.

About this task

Specify a transport encryption protocol that supports NIST SP800-131a compliance. Encryption, hashing, and signing algorithms that are used by the negotiated transport encryption protocol, TLSv1.2, use only FIPS-compliant algorithms in the .NET Framework.

NIST SP800-131a compliance depends on the WebSphere eXtreme Scale server configuration. The client relies on the server to enforce successful SSL handshakes that use only NIST-compliant algorithms. The client does not check the server certificate for compliance. Instead, the client relies on the server to verify the algorithms and strengths that were used to create the server certificate.

Procedure

Edit the client properties file and set the transportType property to SSL-Required; for example:
```
transportType=SSL-Required
```
Edit the client properties file, and specify valid values for the transport protocol for NIST SP 800-131 compliance.
For example, for SP800-131a transition mode, set the protocol property to TLSv11:
```
protocol=Tlsv11
```
For example, for SP800-131a strict mode, set the protocol property to TLSv12:
```
protocol=Tlsv12
```
Important: The setting, TLSv12, is required for NIST SP 800-131 strict compliance. A connection timeout exception occurs when the .NET runtime framework is lower than .NET Framework 4.5.

When the transport encryption is set to either TLSv11 or TLSv12, the configuration does not revert to any prior version of TLS or SSL. The server transport encryption protocol must exactly match the .NET client protocol.
Configure the Windows operating system to use only FIPS-compliant algorithms.
Important: In addition to encrypting your .NET applications, enabling FIPS-compliant algorithms encrypts your entire Windows operating system. Other Windows applications can connect only to applications and systems that use FIPS-compliant algorithms. If a Windows application attempts to connect to a non-FIPS compliant system, the connection fails.
1. Click Start > Run.
2. Type secpol.msc.
3. Locate the System Cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy folder.
4. Right-click the folder and select Properties.
  In most Windows environments, this policy is in the Local Policies > Security Options folder.
5. Click Enabled.
6. Click OK and Apply.
7. Restart the .NET applications to enable FIPS-compliant security algorithms.

What to do next

Check the log file for your .NET application to make sure that NIST security policy is enabled.