You can configure WebSphere® Application
Server to use the SP800-131 standard strict mode.
About this task
The National Institute of Standards and Technology (NIST)
Special Publications (SP) 800-131 standard strengthens algorithms
and increases the key lengths to improve security. The standard also
provides for a transition period to move to the new standard. The
transition period enables a user to run in a mixed environment of
settings not supported under the standard along with those that are
supported. The NIST SP800-131 standard requires that users be configured
for strict enforcement of the standard by a specific timeframe. See The
National Institute of Standards and Technology web site for
more details.
WebSphere Application
Server can be configured to run SP800-131 in a transition mode
or a strict mode. For instructions on how to configure
transition mode, read the topic "Transitioning WebSphere Application Server to the SP800-131
Security Standard".
To run in strict mode, there are several
changes necessary to the server configuration:
- Secure Sockets Layer (SSL) configuration must use the TLSv1.2
protocol.
- The com.ibm.jsse2.sp800-131 system property must be set to strict for
the JSSE to run in a strict SP800-131 mode.
- Certificates used for SSL communication must have a minimum length
of 2048, and for Elliptical Curve (EC) certificates they must have
a minimum length of 244.
- Certificates must be signed with a signature algorithm of SHA256,
SHA384, or SHA512.
- SP800-131 approved cipher suites must be used.
.
What to do next
The SP800-131 standard strict mode requires that the SSL
connection use the TLSv1.2 protocol. For a browser to access the administrative
console or an application, the browser must support and first be configured
to use the TLSv1.2 protocol.
Avoid trouble: When enabling the security standards on a Network Deployment
version of the product, the node and deployment manager can be in
an incompatible protocol state. Since configuring the security standard
requires the server to be restarted, it is recommended that all node
agents and servers be stopped, leaving the deployment manager running.
Once the configuration changes are made through the console, restart
the deployment manager.
gotcha
Manually sync the nodes with syncNode,
and start the node agents and servers. To use syncNode, you might
need to update the ssl.client.props file to communicate
with the deployment manager.