The National Institute of Standards
and Technology (NIST) published Special Publications 800-131a (SP800-131a),
which defines a standard for levels of data protection with transport
layer security (TLS). Use this task to configure catalog and container
servers that run in WebSphere® Application Server for
NIST SP800-131a security.
About this task
You must configure WebSphere Application Server for either strict or
transition mode SP800-131a compliance. Then, you must edit the WebSphere eXtreme Scale server properties file.
You must specify a valid context provider, transport type, and an
SP800-131 compliance mode so that the catalog server uses the same
level of compliance. You must also specify a valid transport protocol
to match what was configured in WebSphere Application Server and then restart the
container and catalog servers. After SP800-131a compliance is enabled,
you can run WebSphere eXtreme Scale application
servers, container, and catalog servers in WebSphere Application Server. In order to run the
web console in WebSphere Application Server,
you must also edit the client properties file to include the same
level of SP800-131a compliance.
Procedure
- Configure WebSphere Application Server for
NIST SP800-131a.
- Edit the server properties file and specify a valid context
provider, transport type, and an SP800-131 compliance mode.
The file must contain the following properties and values:
contextProvider=IBMJSSE2
transportType=SSL-Required
SP800-131=transition|strict
- Edit the server properties file and specify valid values
for the transport protocol for SP 800-131 compliance.
For
example, for SP800-131a transition mode, set the
protocol property
to
TLS or
TLSv1.2:
protocol=TLSv1.2
Important: If you configured transition mode and checked the Update
SSL configuration to require TLSv1.2 check box in WebSphere Application Server administrative console,
then you must set the protocol property to TLSv1.2.
For example, for SP800-131a strict mode, set the
protocol property
to
TLSv1.2:
protocol=TLSv1.2
Important: If you configured strict mode in the WebSphere Application Server administrative console,
then make sure the keyStore and trustStore properties
point to files that support SP800-131a strict compliance.
For
more information about the server properties file, see Server properties file.
See the following
example of an SSL configuration from a server properties file that
includes support for SP800-131a strict mode:
#------------------------------------------------------------------------------
# Transport Layer Security Configuration
#
# SSL-Supported is supported since 6.1.0.3, and SSL-Required is supported since 6.1.0.5
#
# This is also where you enable SSL client certificate authentication.
#
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Set the transport this server supports. The possible values are:
# TCP/IP : the server only supports TCP IP connection..
# SSL-Supported* : the server supports both TCP/IP and SSL connections.
# SSL-Required : the server only supports SSL connections.
#
# The default value is SSL-Supported.
#
# Uncomment this property to set the transport type.
#------------------------------------------------------------------------------
#transportType=SSL-Required
#------------------------------------------------------------------------------
# SSL Configuration
#
# - alias (alias name in the key store)
# - contextProvider (IBMJSSE2, IBMJSSEFIPS, etc.)
# - protocol (SSL, SSLv3, TLS, TLSv1, TLSv1.2)
# - keyStoreType (JKS, JCEK, PKCS12, etc.)
# - trustStoreType (JKS, JCEK, PKCS12, etc.)
# - keyStore (fully qualified path to key store file)
# - trustStore (fully qualified path to trust store file)
# - alias (string specifying ssl certificate alias to use from keyStore)
# - keyStorePassword (string specifying password to the key store - encoded or not)
# - trustStorePassword (string specifying password to the trust store - encoded or not)
# - clientAuthentication (set to be true when server needs to authenticate/trust the client. Set to be false if using C# clients)
# - SP800-131 (specifies the SP800-131a mode that is in use for data protection.)
# Uncomment these properties to set the SSL configuration.
#------------------------------------------------------------------------------
#alias=serverprivate
#contextProvider=IBMJSSE2
#protocol=TLSv1.2
#keyStoreType=JKS
#keyStore=etc/test/security/server.private
#keyStorePassword=serverpw
#trustStoreType=JKS
#trustStore=etc/test/security/client.public
#trustStorePassword=public
#clientAuthentication=false
#SP800-131=strict
- Specify the following Java virtual machine (JVM) arguments
so that the catalog server points to the correct security files in WebSphere Application Server. -Dobjectgrid.server.props=C:/temp/17877/catServer2NISTsORB.props
- Restart your catalog and container servers.
- Enable the same level of SP800-131a compliance on the web
console so that it can run in WebSphere Application Server as well.
- Secure the web browser connection with the same level
of SP800-131a compliance. For more information, see Configuring the web console for NIST SP800-131a compliance.
- Connect the web console to the catalog servers with
the same level of SP800-131a compliance. For more information, see Connecting the web console to catalog servers.