Configuring compliance for NIST SP800-131a in Rational DOORS Web Access

You can configure Rational DOORS Web Access to communicate over secure sockets in compliance with the NIST Special Publications 800-131a (SP800-13a) standard. That standard specifies the algorithms to use to strengthen security, and the minimum encryption strengths that are required for the algorithms.

Before you begin

Configure Rational DOORS Web Access to comply with FIPS 140-2.

About this task

To configure Rational DOORS Web Access to comply with SP800-131a, you modify the Apache Tomcat server configuration values to reject requests with certificates that do not meet the minimum required encryption strengths. You must use a security provider that complies with FIPS 140-2 and configure its system properties to run in SP 800-131a mode. That configuration ensures that you are using the proper protocol and cipher suites.

For strict compliance, key strength and signature algorithms are also verified. Strict compliance allows only the TLS version 1.2 protocol. You must ensure that the certificates, keys, and secure random number generator, if specified, are all compliant with SP 800-131a.

Important: If you specify TLS version 1.2, refer to vendor documentation to determine whether your browser supports that version.
To configure Rational DOORS Web Access to comply with NIST SP800-131a:
  • Set the system property that specifies the SP800-131a mode.
  • Modify the Apache Tomcat server configuration to accept only specific protocols and cipher suites.
  • Ensure that cryptographic keys adhere to a minimum key strength of 112 bits.
  • Ensure that digital signatures are a minimum of SHA2.

Procedure

  1. Open the Apache Tomcat startup script file in an editor.
    • On Windows systems, the server.start.bat script file is in the Rational DOORS Web Access installation directory; for example, C:\Program Files (x86)\IBM\Rational\DOORS Web Access\1.5.0.1. Near the bottom of the file, after the entry for the Dcom.ibm.jsse2.usefipsprovider, add the set JAVA_OPTS entry for Dcom.ibm.jsse2.sp800-131. Then, make sure that the entries are shown as follows:
      set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.usefipsprovider=true 
      set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.sp800-131=strict
      
      cd %CATALINA_HOME%\bin
      call ".\startup.bat"
    • On UNIX systems, the server.start.sh script file is in the Rational DOORS Web Access installation directory. Add the JAVA_OPTS entry for Dcom.ibm.jsse2.sp800-131 after the JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true entry. Then, make sure that the entries are shown as follows, where com.ibm.jsse2.sp800-131 can be set to either transition or strict:
      JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true 
      JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.sp800-131=strict
      
      export JAVA_OPTS

    For strict compliance, key strength and signature algorithms are also verified. Strict compliance allows only TLS version 1.2 protocol. You must ensure that the certificates, keys, and secure random number generator, if specified, are all compliant with SP 800-131a.

    Transition is the transition period defined by SP 800-131a, from today to the end of 2013. The transition period is a grace period during which you can upgrade to the new minimum cryptographic requirements.

  2. Save and close the file.
  3. Open the Apache Tomcat server.xml file in an editor. That file is in the Rational DOORS Web Access installation in the server/conf directory; for example, C:\Program Files (x86)\IBM\Rational\DOORS Web Access\1.5.0.1\server\conf
  4. Set the sslProtocol value to the minimum TLS version, which is based on the value that is determined by the com.ibm.jsse2.sp800-131 system property value; for example:
    sslProtocol="TLSv1.2"
  5. Set the cipher suites to SP800-131a-compliant ciphers; for example:
    ciphers=”SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256”
    Ensure that Secure Sockets Layer (SSL) is configured to use only an approved cipher suite for SP800-131a. For a list of cipher suites, see "IBM JSSE2 Cipher Suites" in the related information links below.

What to do next

Update client browsers to one which supports the minimum TLS version. The minimum TLS version is determined by the value that is specified in the server.xml sslProtocol property.

Ensure that client and server certificates, including root and intermediate certificates, are at least 112 bits and are signed properly, as defined in this procedure. Check keys in keystores and trusted certificates in trust stores.

See the technote Configuring the Rational DOORS database server and client for compliance with NIST SP800-131a.


Feedback