To configure Rational DOORS Web Access to comply with Suite B, you modify the Apache Tomcat server configuration values to reject requests with certificates that do not meet the minimum required encryption strengths.
You must use a security provider that complies with FIPS 140-2 and configure its system properties to run in Suite B mode. That configuration ensures that you are using the proper protocol and cipher suites. Suite B compliance allows only the TLS 1.2 protocol. You must ensure that the certificates, keys, and secure random number generator, if specified, all comply with Suite B.
com.ibm.jsse2.suiteB=128|192|false
That system property has these
parameters: Parameter | Value |
---|---|
https.protocols | Set to TLSv1.2. |
com.ibm.jsse2.suiteB | Set to 128 or 192. |
https.cipherSuites | Enter a supported cipher suite. This parameter restricts the ciphers that are used by outgoing requests for remote services. These cipher suites must be compatible with the cipher suites that are set for the remote server. |
set JAVA_OPTS=%JAVA_OPTS% -Dhttps.protocols=TLSv1.2
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.usefipsprovider=true
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.suiteB=128
set JAVA_OPTS=%JAVA_OPTS% -Dhttps.cipherSuites="SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
cd %CATALINA_HOME%\bin
call ".\startup.bat"
JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1.2"
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true"
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.suiteB=128"
JAVA_OPTS="$JAVA_OPTS -Dhttps.cipherSuites=SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
export JAVA_OPTS
sslProtocol="TLSv1.2"
ciphers="SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
Ensure that
Secure Sockets Layer (SSL) is configured to use only a cipher suite that is approved for
Suite B compliance. Update the client browsers to support TLS 1.2.
Ensure that the client and server certificates are signed properly. Check the keys in keystores.