The National Institute of Standards and Technology (NIST)
Special Publications 800-131 standard strengthens algorithms and increases
the key lengths to improve security. The standard also provides for
a transition period to move to the new standard. You can configure WebSphere® Application Server
for SP800-131 standard transition mode.
Before you begin
Read the "WebSphere Application
Server security standards configurations" topic for more background
information regarding security standards.
About this task
The transition period enables a user to run in a mixed environment
of settings not supported under the standard along with those that
are supported. The NIST SP800-131 standard requires that users be
configured for strict enforcement of the standard by a specific timeframe.
See
The National Institute of Standards and Technology web
site for more details.
The transition options can be very useful
when trying to get to strict SP800-131. The servers
can accept a mixture old settings and new requirements. For example.
they can convert certificates but continue to use the TLS protocol.
WebSphere Application Server
can be configured to run SP800-131 in a transition mode
or a strict mode. For information on how to configure
strict mode. read the Configuring WebSphere Application
Server for strict mode SP800-131 security standard topic.
To
run in the SP800-131 transition mode, the server must be in a specific
configuration setting as well. Other strict requirements can be include
as wanted.
- The com.ibm.jsse2.sp800-131 system property must be set to transition for
the JSSE to run in the transition mode.
- The SSL configuration protocols must be one of the TLS settings.
Valid values include TLS, TLSv1, TLSv1.1, and TLSv1.2.
Procedure
- Click Security > SSL certificate and key management
> Manage FIPS.
- Select the Enable SP800-131 radio button.
- Select the Transition radio button.
- You have the choice to change the protocols in SSL configuration
to TLSv1.2 by optionally selecting the Update the SSL configuration
to require TLSv1.2 box. If you do not select this box, all SSL
configurations are set to TLS.
- Click Apply/Save.
- Restart the servers.
When these changes are
applied, and the server is restarted, all of the SSL configuration
on the server are modified to use the TLS or TLSv1.2 protocol, and
the com.ibm.jsse2.sp800-131 system property is set to transition.
The SSL configuration uses the appropriate SSL ciphers for the standard.
Before
you can move to the strict mode certificate, the protocol in the configuration
must meet the strict requirements.
You can go to directly to
the SSL configuration and set protocols to TLSv1.2 by doing the following:
- Click Security > SSL certificate and key management
> SSL Configurations.
- Select a SSL configuration from the collection panel.
- Under Related Items, select Quality of protection (QoP).
- Select TLSv1.2 from the pull-down box labeled Protocol
- Click Apply/Save. To change the SSL protocol
using scripting, the modifySSLConfig task can also be used.
Certificates
must have a minimum size of 2048 (244 if an Elliptical Curve certificate),
and signed with SHA256, SHA384, or SHA512. You can create new ones
on the console and replace the old one, or import certificates that
meet the standards requirements.
There are a number of options
you can use to replace certificates.
- Use the Convert Certificate panel. This panel converts all certificates
to meet the standard specified.
- Click Security > SSL certificate and key management > Manage
FIPS > Convert Certificate
Note: If there are any certificates
in the box labeled Certificates that can not be converted,
then a certificate can not be converted using this option.
- Select the Strict radio button and choose which signatureAlgorithm
to use when creating the new certificates from the pull-down box.
- Select the size of the certificate from the pull-down box labeled New
Certificate Key Size. Note that Elliptical Curve signature algorithms
require a specific size, so there is no need to provide a size.
- Click Apply/Save.
The convertCertForSecurityStandard
scripting task can also be used to convert all certificates to meet
a specified standard.
- Use the personal certificate panels to create new certificates
and replace a certificate that does not meet the requirements by doing
the following:
- Click Security > SSL certificate and key management > Key stores
and certificates.
- Select a keystore from the collection panel.
- Select Personal Certificate.
- From the pull-down list on the Create button, select Self-Signed
Certificate.
- Fill in an alias for the certificate. Select a signature algorithm
for the certificate that is signed with SHA256, SHA384, or SHA512.
Choose a size that is 2048 or greater. Note that Elliptical Curve
signature algorithms require a specific size, so there is no need
to specify a size.
- Click Apply/Save.
- Go back to the Personal certificate collection panel and select
the certificate that does not meet the standard. Click Replace.
- On the Replace panel, select the certificate created that meets
the standard from the pull-down list in the box labeled Replace
with.
- Select Delete old certificate after replacement, and Delete
old signer boxes.
- Click Apply/Save.
Note: To replace chained certificates,
a root certificate must be created that meets the standard. Follow
the previous navigation path to the root certificate in the defaultRootStore,
then create a chained certificate with that new root certificate.
The
createSelfSigneCertificate scripting task can also be used to create
self-signed certificate. The replaceCertificate scripting task can
also be used to replace the new certificate for the old one.
- Use the personal certificate panels to import certificates and
to replace the certificate that does not meet the requirements. Some
certificate come from external sources such as a Certificate Authority
(CA).
- Click Security > SSL certificate and key management > Key stores
and certificates.
- Select a keystore from the collection panel.
- Select Personal Certificate.
- Select Import Certificate.
- Fill in the information needed to access the certificate in an
existing keystore file.
- Click Apply/Save.
- Go back to the Personal certificate collection panel and select
the certificate that does not meet the standard. Click the Replace button.
- On the Replace panel, select the certificate created that meets
the standard from the pull-down list in the box labeled Replace
with. Select Delete old certificate after replacement and Delete
old signer boxes.
- Click Apply/Save.
The importCertificate scripting task
can also be used to import a certificate. The replaceCertificate
scripting task can also be used to replace the new certificate for
the old one.
- To enable strict SP800-131, click Security > SSL certificate
and key management > Manage FIPS.
- Click the Enable SP800-131.
- Click the Strict.
- Click Apply/Save.
- Restart your servers and manually sync your nodes for the
changes to take effect.
- Configure the client ssl.client.props file
for the transition mode SP800-131 standard. Once the server
is configured for SP800-131 transition mode, the ssl.client.props file
might need to modified so that the admin client can connect to the
server.
Edit the ssl.client.props file.
Change the com.ibm.ssl.protocol property to match the protocol the
server is using.
- Configure the client ssl.client.props file
for strict mode SP800-131 standard. Once the server is
configured for SP800-131 strict mode, the ssl.client.props file
must be modified so that the admin client is running in SP800-131
strict mode. It is not able to make a SSL connection to the server
without the change.
Edit the
ssl.client.props file
as follows:
- Modify the com.ibm.security.useFIPS to be set totrue.
- Add the com.ibm.websphere.security.FIPSLevel=SP800-131 just below
the useFips property.
- Change the com.ibm.ssl.protocol property to TLSv1.2
What to do next
The browser used to access the administrative console or
an application must use a protocol that is compatible with the server.
If the server is running in a transition mode, the browser must be
set to use the protocol that matches the server. The SP800-131 standard
requires that the SSL connection use the TLSv1.2 protocol, so the
browser must support TLSv1.2 and use it to access the administrative
console.