Setting up Liberty to run in SP800-131a

You can set up Liberty to meet the SP800-131a requirement that is originated by the National Institute of Standards and Technology (NIST).

About this task

SP800-131a requires longer key lengths and stronger cryptography. The specification also provides a configuration to enable users to move to a strict enforcement of SP800-131a. The configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP800-131a. SP800-131a can be run in two modes, transition and strict. The transition mode is offered to give user a setting to move their environment to SP800-131a strict mode. In transition mode, it is optional to use the SP800-131a required certificates and to set the protocol to SP800-131a.

Strict enforcement of SP800-131a requirements on Liberty includes the following:
  • The use of the TLSv1.2 protocol for the Secure Sockets Layer (SSL) context.
  • Certificates must have a minimum length of 2048. Elliptical Curve (EC) certificate require a minimum size of 244-bit curves.
  • ◦Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid signatureAlgorithms include:
    • SHA256withRSA
    • SHA384withRSA
    • SHA512withRSA
    • SHA256withECDSA
    • SHA384withECDSA
    • SHA512withECDSA
    Note: If SHA384withECDSA or SHA512withECDSA is used, the unrestricted policy file needs to be in place for the IBM® JDK.
  • SP800-131a approved Cipher suites.
Note: To configure a Liberty server to run in SP800-131a mode, users must be running with a level of the IBM JDK that supports SP800-131a. The minimal levels of the IBM JDK include Java™ 6 sr 10, Java 6.0.1 sr 2, or Java 7.

For more information about the SP800-131a standard, see the National Institute of Standards and Technology.

You can configure Liberty to run in SP800-131a strict mode or transition mode as following:

Procedure

  • Configure Liberty to run in SP800-131a strict mode.
    1. Make sure that you are running on a level of the IBM JDK that supports SP800-131a.
    2. Make sure that certificates of your server meet the criteria for SP800-131a.
      • Certificates have a minimum length of 2048 and Ellipical Curve (EC) certificates have a minimum size of 244-bit curve.
      • Certificates are signed with at least SHA256 or signed with one of the signature algorithms listed previously.
    3. Configure your SSL Configuration to use the TLSv1.2 protocol. See Enabling SSL communication in Liberty and SSL configuration attributes for more details.
    4. When using collectives, if the sslProtocol is updated, two configuration changes must be made:
      • ${wlp.install.dir}/etc/server.env must specify the -Dhttps.protocols property in order for the ${wlp.install.dir}/bin/collective utility to successfully communicate with the controller.

        For example:

        JVM_ARGS=-Dhttps.protocols=TLSv1.2
      • Each internal collective replication ssl id must be updated with the desired protocol.

        For Example:

        <ssl id="controllerConnectionConfig" sslProtocol="TLSv1.2"/>
        <ssl id="memberConnectionConfig" sslProtocol="TLSv1.2"/>
    5. Optional: If Elliptical Curve (EC) ciphers are required, list them in the enabledCiphers attribute.
      EC ciphers are not included when cipher lists are generated using the securityLevel attribute of the SSL Configuration. For the full list of ciphers, see the Java Technology Security information.
    6. The Java Secure Socket Extension (JSSE) is enabled to run in SP800-131a strict mode by setting the system property com.ibm.jsse2.sp800-131 to strict. For example, -Dcom.ibm.jsse2.sp800-131=strict. See Customizing the Liberty environment for how to set system properties in the jvm.options file.
  • Configure Liberty to run in SP800-131a transition mode.
    1. Make sure that you are running a level of the IBM JDK that support SP800-131a.
    2. Optional: If Elliptical Curve (EC) ciphers are required, list them in the enabledCiphers attribute.
      EC ciphers are not included when cipher lists are generated using the securityLevel attribute of the SSL Configuration. For the full list of ciphers, see the Java Technology Security information.
    3. The JSSE is enabled to run in SP800-131a transition mode by setting the system property com.ibm.jsse2.sp800-131 to transition. For example, -Dcom.ibm.jsse2.sp800-131=transition. See Customizing the Liberty environment for how to set system properties in the jvm.options file.
    Note: If you change your protocol to use TLSv1.2, make sure that your browser supports TLSv1.2.