Support for compliance with NIST SP800-131a

IBM Security Access Manager for Mobile 8.0 supports the requirements that are defined by the National Institute of Standards and Technology (NIST) Special Publications 800-131a.

SP 800-131a strengthens security by defining stronger cryptographic keys and more robust algorithms. The standard defines a period to allow customers time to make the transition to the new requirements. The transition period closes at the end of 2013. See the NIST publication Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths for the new standards that are defined by Special Publication 800-131, and details about allowed protocols, cipher suites, and key strength.

You can run IBM Security Access Manager for Mobile 8.0 in either of the two modes that are supported by NIST SP800-131a:

When configured in transition mode, server components support the transition mode Transport Layer Security (TLS) protocols, which include TLS 1.0 and TLS 1.1. Client components, such as the HTTPS client that performs one-time password (OTP) delivery and the syslog auditing client, support TLS 1.2 only.

When configured in strict mode, both the server components and the client components of IBM Security Access Manager for Mobile support TLS 1.2 only.

To deploy in transition mode, you need to select only the mode during initial configuration of the appliance. To run in strict mode, you must also set an extra configuration option.

If your deployment uses client certificate authentication, and you want to use strict mode, you must complete more configuration steps for the point of contact server. The point of contact server can be either IBM Security Access Manager WebSEAL or IBM Security Web Gateway appliance 7.0.

Transition mode

When you install the appliance, select the option to enable FIPS 140-2 mode. This selection turns on compliance for NIST SP800-131a.

When enabled, NIST SP800-131a compliance is run in transition mode. You do not have to complete any further configuration steps in order to run in transition mode.

Note:
  • Enable FIPS 140-2 mode only if you must comply with the NIST SP800-131a requirements. There is no advantage to enabling FIPS 140-2 mode if your installation does not require this compliance.
    Important: The setting of the FIPS 140-2 Mode option is permanent and cannot be turned off after it is enabled. To disable the option, you must reinstall the appliance.
  • If you enable FIPS 140-2 mode, the appliance is automatically restarted before it continues with the rest of the setup.
  • FIPS Limitation: For IBM Security Access Manager for Mobile, the FIPS 140-2 mode option in the appliance setup wizard does not turn on compliance for FIPS 140-2. It turns on compliance for NIST SP800-131a only.

Strict mode

Overview of configuration tasks:

  1. Enable FIPS 140-2 mode during appliance configuration.
  2. Set a tuning parameter to enable strict mode.
  3. (Optional) If your deployment uses client certificate authentication, configure TLS v1.2.

Instructions:

  1. Install the appliance and choose to enable FIPS 140-2 mode. This selection turns on compliance for NIST SP800-131a.
  2. Use the appliance local management interface (LMI) to modify the advanced tuning parameter nist.sp800-131a.strict. This parameter is set by default to false. Complete the following steps:
    1. Verify that your browser supports TLS 1.2.
      CAUTION:
      Strict mode requires the use of TLS 1.2. Some browsers support TLS 1.2 but have the support disabled by default. If you set the value of the nist.sp800-131a.strict parameter to true, and your browser is not configured to support TLS 1.2, you lose access to the appliance LMI.
    2. On the LMI, select Manage System Settings > System Settings > Advanced Tuning Parameters.
    3. Select nist.sp800-131a.strict. Select Edit. Change the value to true.
  3. Determine whether your deployment uses basic authentication or client certificate authentication, for communication between IBM Security Access Manager for Mobile and the point of contact server.
    • If you use basic authentication, the configuration is complete.
    • If you use client certificate authentication, continue with the next section.

Client certificate configuration for strict mode

If you use client certificate authentication on the point of contact server, you must configure it to be in compliance with NIST SP800-131a strict mode.

To comply with strict mode, configure the point of contact server to use TLS v.1.2 for client certificate authentication.

You must create a self-signed certificate, and configure the point of contact server to use TLS v1.2 with the Runtime Security Services External Authorization Service (EAS). Complete each of the following tasks:

  1. Create a self-signed certificate.
    • Review the topic Client certificate authentication considerations. Select one of the following actions, as fits your deployment:
      • If your deployment uses the IBM Security Web Gateway appliance (Web Reverse Proxy), follow the instructions in Configuring runtime security services for client certificate authentication. In Step 1 “Create a client certificate for user easusercert", specify:
         Signature Algorithm: SHA2withRSA 
      • If your deployment uses WebSEAL:

        Manually create a self-signed certificate. To specify a NIST-compliant algorithm, use an external utility such as gsk7ikm. Open the pd.srv certificate database, and create a self-signed certificate with these credentials:

         Certificate Label: easusercert
         Certificate Distinguished Name: cn=easuser
         Key Size: 2048
         Expiration Time (in days): 365
         Signature Algorithm: SHA2withRSA 
        Note:
        • The user cn=easuser is the built-in user, but any user with sufficient permissions (as created by the IBM Security Access Manager for Mobile administrator) can be used instead.
        • It is not mandatory that WebSEAL has FIPS 140-2 mode configured in order to communicate with the IBM Security Access Manager for Mobile server. However, to comply with NIST SP800-131a strict mode, client certificate authentication between WebSEAL and the server must be over TLS v1.2.
        • See the IBM Security Access Manager for Web Version 7.0 WebSEAL Administration Guide for complete information on configuring client certificate authentication.
  2. Configure the point of contact server to use TLS v1.2 with the Runtime Security Services External Authorization Service (EAS)

    The point of contact server uses the EAS to process authorization requests. The default EAS setting for communication specifies Secure Sockets Layer (SSL) v2, which is not supported by the IBM Security Access Manager for Mobile appliance when it operates in NIST SP800-131a strict mode. If you do not adjust the configuration setting for the EAS, the authorization request (and the regular ping call) does not succeed

    Select the action that fits your deployment:

    • If you deploy your point of contact server on the same computer as the appliance:
      1. In the IBM Security Access Manager for Mobile appliance local management interface, select Reverse Proxy Settings > your_instance_name > Manage > Configuration > Edit to open the configuration file. Add the following parameter to the existing stanza:
        [rtss-cluster:cluster1]
        gsk-attr-name = enum:438:1 
      2. Click Save. Deploy the changes. Restart the instance.
    • If you deploy your point of contact server on a different computer from the appliance:
      1. Open the WebSEAL instance configuration file for editing. For example: /opt/pdweb/etc/webseald-appliance-default.conf.
      2. Add the following parameter to the existing stanza:
        [rtss-cluster:cluster1]
        gsk-attr-name = enum:438:1 
    .