IBM Security Access Manager for Mobile 8.0 supports the
requirements that are defined by the National Institute of Standards
and Technology (NIST) Special Publications 800-131a.
SP 800-131a strengthens security by defining stronger cryptographic
keys and more robust algorithms. The standard defines a period to
allow customers time to make the transition to the new requirements.
The transition period closes at the end of 2013. See the NIST publication Transitions: Recommendation for
Transitioning the Use of Cryptographic Algorithms and Key Lengths for
the new standards that are defined by Special Publication 800-131,
and details about allowed protocols, cipher suites, and key strength.
You can run IBM Security Access Manager for Mobile 8.0 in either
of the two modes that are supported by NIST SP800-131a:
- Transition mode
- Strict mode
When configured in transition mode, server components support the
transition mode Transport Layer Security (TLS) protocols, which include
TLS 1.0 and TLS 1.1. Client components, such as the HTTPS client that
performs one-time password (OTP) delivery and the syslog auditing
client, support TLS 1.2 only.
When configured in strict mode, both the server components and
the client components of IBM Security Access Manager for Mobile support
TLS 1.2 only.
To deploy in transition mode, you need to select only the mode
during initial configuration of the appliance. To run in strict mode,
you must also set an extra configuration option.
If your deployment uses client certificate authentication, and
you want to use strict mode, you must complete more configuration
steps for the point of contact server. The point of contact server
can be either IBM Security Access Manager WebSEAL or IBM Security
Web Gateway appliance 7.0.
Transition mode
When you install the appliance,
select the option to enable FIPS 140-2 mode. This selection turns
on compliance for NIST SP800-131a.
When enabled, NIST SP800-131a
compliance is run in transition mode. You do not have to complete
any further configuration steps in order to run in transition mode.
Strict mode
Overview of configuration tasks:
- Enable FIPS 140-2 mode during appliance configuration.
- Set a tuning parameter to enable strict mode.
- (Optional) If your deployment uses client certificate authentication,
configure TLS v1.2.
Instructions:
- Install the appliance and choose to enable FIPS 140-2 mode. This
selection turns on compliance for NIST SP800-131a.
- Use the appliance local management interface (LMI) to modify the
advanced tuning parameter nist.sp800-131a.strict.
This parameter is set by default to false. Complete the following
steps:
- Verify that your browser supports TLS 1.2.
CAUTION:
Strict
mode requires the use of TLS 1.2. Some browsers support TLS 1.2 but
have the support disabled by default. If you set the value of the nist.sp800-131a.strict parameter
to true, and your browser is not configured to support TLS 1.2, you
lose access to the appliance LMI.
- On the LMI, select Manage System Settings > System
Settings > Advanced Tuning Parameters.
- Select nist.sp800-131a.strict. Select Edit.
Change the value to true.
- Determine whether your deployment uses basic authentication or
client certificate authentication, for communication between IBM Security
Access Manager for Mobile and the point of contact server.
- If you use basic authentication, the configuration is complete.
- If you use client certificate authentication, continue with the
next section.
Client certificate configuration for strict mode
If
you use client certificate authentication on the point of contact
server, you must configure it to be in compliance with NIST SP800-131a
strict mode.
To comply with strict mode, configure the point of
contact server to use TLS v.1.2 for client certificate authentication.
You
must create a self-signed certificate, and configure the point of
contact server to use TLS v1.2 with the Runtime Security Services
External Authorization Service (EAS). Complete each of the following
tasks:
- Create a self-signed certificate.
- Review the topic Client certificate authentication considerations.
Select one of the following actions, as fits your deployment:
- If your deployment uses the IBM Security Web Gateway appliance
(Web Reverse Proxy), follow the instructions in Configuring runtime security services for client certificate authentication. In
Step 1 “Create a client certificate for user easusercert", specify:
Signature Algorithm: SHA2withRSA
- If your deployment uses WebSEAL:
Manually create a self-signed
certificate. To specify a NIST-compliant algorithm, use an external
utility such as gsk7ikm. Open the pd.srv certificate
database, and create a self-signed certificate with these credentials:
Certificate Label: easusercert
Certificate Distinguished Name: cn=easuser
Key Size: 2048
Expiration Time (in days): 365
Signature Algorithm: SHA2withRSA
Note: - The user cn=easuser is the built-in user, but any user with sufficient
permissions (as created by the IBM Security Access Manager for Mobile
administrator) can be used instead.
- It is not mandatory that WebSEAL has FIPS 140-2 mode configured
in order to communicate with the IBM Security Access Manager for Mobile
server. However, to comply with NIST SP800-131a strict mode, client
certificate authentication between WebSEAL and the server must be
over TLS v1.2.
- See the IBM Security Access Manager for Web Version 7.0
WebSEAL Administration Guide for complete information on configuring
client certificate authentication.
- Configure the point of contact server to use TLS v1.2 with the
Runtime Security Services External Authorization Service (EAS)
The
point of contact server uses the EAS to process authorization requests.
The default EAS setting for communication specifies Secure Sockets
Layer (SSL) v2, which is not supported by the IBM Security Access
Manager for Mobile appliance when it operates in NIST SP800-131a strict
mode. If you do not adjust the configuration setting for the EAS,
the authorization request (and the regular ping call) does not succeed
Select
the action that fits your deployment:
- If you deploy your point of contact server on the same computer
as the appliance:
- In the IBM Security Access Manager for Mobile appliance local
management interface, select Reverse Proxy Settings > your_instance_name >
Manage > Configuration > Edit to open the configuration
file. Add the following parameter to the existing stanza:
[rtss-cluster:cluster1]
gsk-attr-name = enum:438:1
- Click Save. Deploy the changes. Restart
the instance.
- If you deploy your point of contact server on a different computer
from the appliance:
- Open the WebSEAL instance configuration file for editing. For
example: /opt/pdweb/etc/webseald-appliance-default.conf.
- Add the following parameter to the existing stanza:
[rtss-cluster:cluster1]
gsk-attr-name = enum:438:1
.