SP800-131A compliance

SP800-131A compliance strengthens security by requiring the use of stronger cryptographic keys and more robust algorithms.

To specify that SP800-131A transition or strict compliance is required, set the Java™ system property com.ibm.jsse2.sp800-131 as follows:

com.ibm.jsse2.sp800-131=<transition|strict|off>

Set the property for the Java client application in local mode and the Gateway daemon in remote mode. For strict support on an SSL connection between a Java client application and the Gateway daemon, both the Java client application and Gateway daemon must specify com.ibm.jsse2.sp800-131=strict.

Additionally, for strict support with NET Framework-based clients, the SslGatewayConnection property must be configured to use TLS 1.2. This property can be set with the EnabledSslProtocols property or CtgSslProtocols application configuration setting.

If using Cipher suites that use AES_256 then the Gateway daemon JVM must be updated with the Unrestricted JCE policy files placed in the <install_path>/jvm170/lib/security/ directory. To obtain the Unrestricted JCE policy files and for more information, see IBM® SDK Policy Files.

CICS® Transaction Gateway supports SP800-131a strict mode on IPIC SSL connections in local and remote mode to CICS Transaction Server and IBM TXSeries® versions which also support SP800-131a strict mode. This includes support for requests from IBM WebSphere® Application Server using the CICS ECI resource adapter.

For more information, see the National Institute of Standards and Technology (NIST) Special Publications 800-131a at http://csrc.nist.gov/publications/nistpubs/800-131A/SP800-131A.pdf.