Configuring compliance for NSA Suite B Cryptography in Rational DOORS Web Access

You can configure Rational DOORS Web Access to communicate over secure sockets in compliance with the National Security Agency (NSA) Suite B cryptography guideline. The Suite B guideline strengthens the existing FIPS-2 and SP 800-131A compliance policies.

Before you begin

Configure the Rational DOORS Web Access broker, which is an adaptation of Apache ActiveMQ. See Installation prerequisites for Rational DOORS Web Access.

About this task

To configure Rational DOORS Web Access to comply with Suite B, you modify the Apache Tomcat server configuration values to reject requests with certificates that do not meet the minimum required encryption strengths.

You must use a security provider that complies with FIPS 140-2 and configure its system properties to run in Suite B mode. That configuration ensures that you are using the proper protocol and cipher suites. Suite B compliance allows only the TLS 1.2 protocol. You must ensure that the certificates, keys, and secure random number generator, if specified, are all compliant with Suite B.

Important: If you specify TLS 1.2 protocol, refer to vendor documentation to determine whether your browser supports that version.
To configure Rational DOORS Web Access to comply with Suite B:
  • Set the system property in the startup script file that specifies the Suite B mode.
  • Modify the Apache Tomcat server configuration to accept only TLS 1.2 protocol and supported cipher suites.
  • Ensure that cryptographic keys adhere to the minimum required key strength.
  • Ensure that digital signatures adhere to the minimum required strength.
A system that is configured for Suite B with TLS and a minimum level of security of 128 bits must use TLS 1.2 and either ECDSA-256 or ECDSA-384 for client or server authentication. To support the Suite B profile, the following system property is provided:
com.ibm.jsse2.suiteB=128|192|false
This system property has these parameters:
  • 128 specifies the 128-bit minimum level of security.
  • 192 specifies the 192-bit minimum level of security.
  • false specifies that the system is not compliant with Suite B. This value is the default.
When you set the com.ibm.jsse2.suiteB system property, IBMJSSE2 ensures adherence to the specified security level. IBMJSSE2 validates that the protocol, keys, and certificates are compliant with the requested profile.

Procedure

  1. Open the Apache Tomcat startup script file in an editor.
    • On Windows systems, the server.start.bat script file is in the Rational DOORS Web Access installation directory; for example, C:\Program Files (x86)\IBM\Rational\DOORS Web Access\1.5.0.1. Near the bottom of the file, after the entry for the Dcom.ibm.jsse2.usefipsprovider, add the set JAVA_OPTS entry for Dcom.ibm.jsse2.suiteB. Then, make sure that the entries are shown as follows:
      set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.usefipsprovider=true 
      set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.suiteB=128
      
      cd %CATALINA_HOME%\bin
      call ".\startup.bat"
      Important: If the Dcom.ibm.jsse2.sp800-131 property is included in the file, remove that property.
    • On UNIX, the server.start.sh script file is located in the Rational DOORS Web Access installation directory. Add the JAVA_OPTS entry for Dcom.ibm.jsse2.suiteB after the JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true entry. Then, make sure that the entries are shown as follows:
      JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true 
      JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.suiteB=128
      
      export JAVA_OPTS
      Important: If the Dcom.ibm.jsse2.sp800-131 property is included in the file, remove that property.
  2. Open the Apache Tomcat server.xml file in an editor. That file is in the Rational DOORS Web Access installation in the server/conf directory; for example, C:\Program Files (x86)\IBM\Rational\DOORS Web Access\1.5.0.1\server\conf
  3. Set the sslProtocol value to TLS 1.2; for example:
    sslProtocol="TLSv1.2"
  4. Set the cipher suites to ciphers that comply with Suite B; for example:
    ciphers=”SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256”
    Ensure that Secure Sockets Layer (SSL) is configured to use only a cipher suite that is approved for Suite B compliance.

What to do next

Update the client browsers to support TLS 1.2.

Ensure that the client and server certificates are signed properly. Check the keys in keystores.


Feedback