Fix Pack 8550

Setting up a Liberty profile to run in SP800-131a

You can set up a Liberty profile to meet the SP800-131a requirement that is originated by the National Institute of Standards and Technology (NIST).

About this task

SP800-131a requires longer key lengths and stronger cryptography. The specification also provides a transition configuration to enable users to move to a strict enforcement of SP800-131a. The transition configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP800-131a. SP800-131a can be run in two modes, transition and strict. The transition mode is offered to give user a setting to move their environment to SP800-131a strict mode. In transition mode, it is optional to use the SP800-131a required certificates and to set the protocol to SP800-131a

Strict enforcement of SP800-131a requirements on the Liberty profile includes the following:
  • The use of the TLSv1.2 protocol for the Secure Sockets Layer (SSL) context.
  • Certificates must have a minimum length of 2048. Elliptical Curve (EC) certificate require a minimum size of 244-bit curves.
  • ◦Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid signatureAlgorithms include:
    • SHA256withRSA
    • SHA384withRSA
    • SHA512withRSA
    • SHA256withECDSA
    • SHA384withECDSA
    • SHA512withECDSA
    Note: [Updated in June 2013] If SHA384withECDSA or SHA512withECDSA is used, the unrestricted policy file needs to be in place for the IBM® JDK. [Updated in June 2013]
  • SP800-131a approved Cipher suites.
Note: To configure a Liberty profile server to run in SP800-131a mode, users must be running with a level of the IBM JDK that supports SP800-131a. The minimal levels of the IBM JDK include Java™ 6 sr 10, Java 6.0.1 sr 2, or Java 7.

For more information about the SP800-131a standard, see the National Institute of Standards and Technology.

You can configure the Liberty profile to run in SP800-131a strict mode or transition mode as following:

Procedure


Icon that indicates the type of topic Task topic

Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Monday, 21 April 2014
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-base-iseries&topic=twlp_sec_nist
File name: twlp_sec_nist.html