Using OFTP in NIST 800-131a compliance mode
OFTP protocol is supported in Sterling B2B Integrator in OFTP 1.2, OFTP 1.3, OFTP 1.4, and OFTP 2.0; however, only OFTP 2.0 supports secure communications.
TLS Support
The OFTP 2 RFC enforces the usage of TLS and previous versions of SSL are not supported; therefore, only TLS1, TLS 1.1 and TLS 1.2 are supported. This is defined by using the property OFTP.Global.HelloProtocol in OdetteFTP.properties. The default value is OFTP.Global.HelloProtocol=TLS1-TLS1.2.
Ciphers Supported
The following Ciphers supported by OFTP2 are below:
| Cipher | Suite Symmetric | Asymmetric | Hashing |
|---|---|---|---|
| 01 | 3DES_EDE_CBC_3KEY | RSA_PKCS1_15 | SHA-1 |
| 02 | AEO_256_CBC | RSA_PKCS1_15 | SHA-1 |
TLS Certificate Download
The TLS certificate functionality of OFTP is NOT functional in strict mode. The xml file on the ODETTE site is signed by a non-NIST 800-131a compliant certificate algorithm which is not permitted in strict mode.
Certificate Exchange
When using automatic certificate exchange, the root certificate and/or the auth chain must be present at the receiver's end. The automatic certificate exchange fails if the root or auth chain is not NIST 800-131a complaint.
- When configuring a new adapter or profile, only NIST 800-131a compliant certificates and Cipher strength are available.
- If any non-compliant adapter, certificate, or profile configuration is found, the adapter will not be enabled, the communication fails, and a status message about the non-NIST 800-131a compliance appears.