Enabling a NIST SP800-131a compliant environment

You can configure IBM® Business Process Manager to support the National Institute of Standards and Technology (NIST) SP800-131a security standard. SP800-131a requires longer key lengths and stronger cryptography than other standards, such as FIPS 140-2. SP800-131a requires Transport Layer Security (TLS) V1.2.

Before you begin

Your browser must support the TLS 1.2 protocol. You can use Microsoft Internet Explorer version 9 and up, Google Chrome version 31, or Opera version 12.
Note: Opera versions 15, 16, and 17 are based on Google Chromium and do not support TLS 1.2.

Procedure

  1. Generate or import certificates and activate SSL on the directory server. This step varies depending on the LDAP server you are using.
  2. Add the signer certificate of your LDAP server to the truststore of your application server.
  3. Enable the SP 800-131a standard for IBM Business Process Manager. For updates to the administrative console, see Transitioning WebSphere Application Server to the SP800-131 security standard.
    Note: In a clustered environment, before you run the syncNode.bat or syncNode.sh command, change to strict mode and update the ssl.client.props configuration file, which is at ProcessDesignerInstallation Path/resources/ssl.client.props. You are prompted to accept the self-signed certificate into the truststore before the changes can be propagated. For background information and details, refer to https://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/topic/com.ibm.iea.was_v8/was/8.0.0.3/Security/WASV8003_SecurityCryptoSignatureAlgorithm.pdf.
  4. Enable TLS V1.2 for all clients. Specify the Secure Sockets Layer (SSL) protocol to be used for client applications, such as the wsadmin command or the Process Designer. For the wsadmin command, see Transitioning WebSphere Application Server to the SP800-131 security standard. For the Process Designer, update the ssl.client.props configuration file, which is at ProcessDesignerInstallation Path/resources/ssl.client.props.
  5. Configure SSL communication for Process Center and Process Server. See Configuring Secure Sockets Layer (SSL) communication in a network deployment environment.
    Note: After you convert the certificates to the NIST SP 800-131a standard in a clustered environment that includes a Process Center cluster and a Process Server cluster, add the Process Server signer to the Process Center truststore and add the Process Center signer to the Process Server truststore.
  6. Specify that SSL is used for Enterprise JavaBeans (EJB) method calls.
    1. In the administrative console, click Security > Global security > RMI/IIOP Security > CSIv2 inbound communications.
    2. Select SSL-required in the Transport pull-down menu.
    3. In the administrative console, click Security > Global security > RMI/IIOP Security > CSIv2 outbound communications.
    4. Select SSL-required in the Transport pull-down menu.
  7. Switch the DB2 data sources to SSL.
    1. Create a CMS keystore for DB2. To create the keystore, log in to the administrative console and do the following steps:
      1. Navigate to Security > SSL certificate and key management..
      2. Click Key stores and certificates under Related Items.
      3. On the Key stores and certificates page, click Newto create a new keystore.
      4. On the New Keystore page, enter the following values and click OK to create that keystore:
        Field Value Notes
        Name DB2KeyStore  
        Path C:/SQLLIB/DB2/CertStores/DB2KeyStore.kdb Make sure that the directory exists.
        Password WebAS Choose an appropriate password.
        Confirm password WebAS  
        Type CMSKS Select CMSKS from the drop-down list.
      5. Add a personal certificate to the DB2 keystore.

        After the DB2 keystore is created, navigate to the DB2KeyStore page and click Personal Certificates under Additional Properties to create a personal certificate for this keystore.

      6. From the DB2 keystore's Personal Certificates page, click Create a self-signed certificate.
      7. On the configuration page for the new certificate, enter the following values and click OK.
        Table 1.
        Field Value Notes
        Alias default  
        Common Name DB2  
        Validity period 2000 Change from 364 days to a larger number to avoid dealing with expiring certificates.
        Organization IBM  
    2. Create the SSLconfig.ini file. The database requires SSL-specific information to use SSL. For example, the keystore. This information is contained in the SSLconfig.ini file, which is located under the home directory of the instance. For example, create the SSLconfig.ini file in the C:/SQLLIB/DB2 directory and set its contents to
      DB2_SSL_KEYSTORE_FILE=C:/SQLLIB/DB2/CertStores/DB2KeyStore.kdb
DB2_SSL_LISTENER=50443
DB2_SSL_KEYSTORE_PW=WebAS
DB2_SSL_KEYSTORE_LABEL=default
      Note: The keystore is the one that you created in the previous step and the label corresponds to the alias of the self-signed certificate you created earlier. Also, the listener port is the one that the database uses for SSL communication, so you must select a port that is not in use on your machine.
    3. Set the database communication protocol to SSL. To configure the database instance to use SSL, you must configure the DB2COMM registry variable. For example, run the following command on the instance named DB2. 
      db2set -i DB2 DB2COMM=SSL
      To configure the database to accept SSL and non-SSL connections, run the following command:
      db2set -i DB2 DB2COMM=SSL,TCPIP
    4. Update the system path to include gsk8. DB2 uses gsk8 to provide SSL support and requires that its library is included in the system path. For example, add C:\Program Files\IBM\gsk8\lib to the Windows system path by right-clicking on My Computer and navigating to Properties > Advanced > Environmnent Variables.
    5. Restart the database to use the updated communication protocol. 
      db2stop or use db2 control center.
 db2start or use db2 control center
    6. Import the signer certificate for the database into the WebSphere® Application Server truststore. Before the JDBC driver can use SSL to communicate with the database, the truststore that it uses requires the database's signer certificate. To get the signer certificate into the appropriate truststores:
      1. Navigate to Security-> > SSL certificate and key management. and click Key stores and certificates under Related Items.
      2. Click NodeDefaultTrustStore to go to the application server's default trust store.
      3. Click Signer certificates under Additional properties.
      4. On the Signer Certificates page, click Retrieve from port to retrieve the DB2's signer certificate.
      5. On the Retrieve from port page, enter the following values:
        Table 2.
        Field Value Notes
        Host localhost Host where DB2 is running
        Port 50443 Port on which DB2 is listening for SSL communication.
        Alias db2sslSigner Alias that you want to set for DB2's signer in this truststore.
      6. Click Retrieve signer information
    7. Set up the data source to use SSL:
      • Set the SSL port to 50443 if using the sslconfig.ini file.
      • Add the sslConnection custom property of type Boolean to the data source and set its value to true. To add this custom property, from your data source page, click Custom properties in the Additional Properties section. On the Custom properties page, click New to create the sslConnection property.
      This step assumes that the sslConnection property is not already in the list of custom properties. If it is, update it and set the value to true.
  8. Switch the distribution and consistency services (DCS) transport link to SSL.
    1. In the WebSphere Application Server administrative console, click Servers > Core Groups > Core group settings.
    2. Click DefaultCoreGroup.
    3. Select DCS-Secure from the Channel framework pull-down menu.
    4. Save your changes and restart the server.
  9. Disable unencrypted ports.
    1. In the WebSphere Application Server administrative console, click System administration > Deployment manager > Configuration > Ports.
    2. Click each instance of View associated transports.
    3. Disable each transport chain that shows Enabled in the SSL Enabled column.
      1. Click the name of the transport chain and clear the Enabled checkbox.
      2. Click OK.
      3. Click System administration > Nodes.
      4. Click each node and select the Local Topology tab.
      5. Expand the node name and expand Servers.
      6. Click the managed node and select the Configuration tab.
      7. Click Ports and click each instance of View associated transports.
      8. Disable each Transport Chain that shows Enabled in the SSL Enabled column.
      9. Click Save directly to master configuration.
      10. Stop the nodes, node agents, and deployment manager.
      11. Restart the deployment manager.
      12. Synchronize the configuration changes across each of the federated nodes by clicking System administration > Nodes. Select all the nodes and then click Full Resynchronize.
      13. Restart the node agents and nodes.
Parent topic: Creating a secure environment