Setting up Liberty to run in SP800-131a
You can set up Liberty to meet the SP800-131a requirement that is originated by the National Institute of Standards and Technology (NIST).
About this task
SP800-131a requires longer key lengths and stronger cryptography. The specification also provides a configuration to enable users to move to a strict enforcement of SP800-131a. The configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP800-131a. SP800-131a can be run in two modes, transition and strict. The transition mode is offered to give user a setting to move their environment to SP800-131a strict mode. In transition mode, it is optional to use the SP800-131a required certificates and to set the protocol to SP800-131a.
- The use of the TLSv1.2 protocol for the Secure Sockets Layer (SSL) context.
- Certificates must have a minimum length of 2048. Elliptical Curve (EC) certificate require a minimum size of 244-bit curves.
- ◦Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid
signatureAlgorithms include:
- SHA256withRSA
- SHA384withRSA
- SHA512withRSA
- SHA256withECDSA
- SHA384withECDSA
- SHA512withECDSA
Note: If SHA384withECDSA or SHA512withECDSA is used, the unrestricted policy file needs to be in place for the IBM® JDK. - SP800-131a approved Cipher suites.
For more information about the SP800-131a standard, see the National Institute of Standards and Technology.
You can configure Liberty to run in SP800-131a strict mode or transition mode as following: