To configure Rational DOORS Web Access to comply with SP 800-131A, you modify the Apache Tomcat server configuration values to reject requests with certificates that do not meet the minimum required encryption strengths. You must use a security provider that complies with FIPS 140-2 and configure its system properties to run in SP 800-131A mode. That configuration ensures that you are using the proper protocol and cipher suites.
For strict compliance, key strength and signature algorithms are also verified. Strict compliance allows only the TLS 1.2 protocol. You must ensure that the certificates, keys, and secure random number generator, if specified, comply with SP 800-131A.
When Rational DOORS Web Access is enabled to support SP800-131A in strict mode, all remote services must also be configured to support SP 800-131A strict mode. If a remote service does not support the minimum requirements for SP 800-131A strict mode, than any request to that service will fail.
Ensure that digital signatures are a minimum of SHA2 and 2048 bits.
Parameter | Value |
---|---|
https.protocols | Set to TLSv1.2. The protocol must be compatible with the protocols that are enabled on the remote server. |
com.ibm.jsse2.sp800-131 | Set to strict. |
https.cipherSuites | Enter a supported cipher suite. This parameter restricts the ciphers that are used by outgoing requests for remote services. These cipher suites must be compatible with the cipher suites that are set for the remote server. |
set JAVA_OPTS=%JAVA_OPTS% -Dhttps.protocols=TLSv1.2
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.usefipsprovider=true
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.sp800-131=strict
set JAVA_OPTS=%JAVA_OPTS% -Dhttps.cipherSuites="SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
cd %CATALINA_HOME%\bin
call ".\startup.bat"
JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1.2"
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true"
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.sp800-131=strict"
JAVA_OPTS="$JAVA_OPTS -Dhttps.cipherSuites=SSL_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
export JAVA_OPTS
For strict compliance, key strength and signature algorithms are also verified. Strict compliance allows only TLS 1.2 protocol. You must ensure that the certificates, keys, and secure random number generator, if specified, all comply with SP 800-131A.
sslProtocol="TLSv1.2"
sslEnabledProtocols="TLSv1.2"
For more
information about the HTTPS connector section, see Configuring Rational DOORS Web Access to use SSL
or TLS.ciphers="SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
Ensure
that Secure Sockets Layer (SSL) is configured to use only an approved cipher suite for SP
800-131A. For a list of cipher suites, see "IBM
JSSE2 Cipher Suites" in Related
information.Update client browsers to one that supports the minimum TLS version. The minimum TLS version is determined by the value that is specified in the sslProtocol property that is in the server.xml file.
Ensure that client and server certificates, including root and intermediate certificates, are at least 112 bits and are signed properly, as defined in this procedure. Check keys in keystores and trusted certificates in trust stores.
See Configuring compliance for NIST SP 800-131A in the Rational DOORS database server and client.