Using adapters with SSL in NIST 800-131a compliance mode
For adapters using SSL, only Strong cipher strength is an available selection during configuration. When running in NIST 800-131a strict mode, these cipher suites are supported:
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_256_CBC_SHA256
NIST 800-131a compliant cipher suites
Only NIST 800-131a compliant cipher suites are used when running in NIST 800-131a compliance mode. Strong cipher suites can also be configured in off mode; however, only strong cipher suites can be used in strict mode.
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
- SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
- If
NIST.800-131a=off, perform the following:- Stop Sterling B2B Integrator.
- Add the following properties in
customer_override.propertiesfilesecurity.CipherSuiteDefault=SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,SSL_RSA WITH_AES_256_GCM_SHA384,SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH AES_256_CBC_SHA,SSL_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_ CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_256_CBC _SHA384,SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,SSL_DHE_DSS_WITH_AES_256_C BC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA3 84,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_256_ GCM_SHA384,SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_RSA_WITH_AES _256_GCM_SHA384 - Restart Sterling B2B Integrator.
- If
NIST.800-131a=on, perform the following:- Stop Sterling B2B Integrator.
- Add the following properties in
customer_override.propertiesfilesecurity.NISTCompliantCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH _AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AE S_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AE S_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_ AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WIT H_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_E CDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EC DHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_ SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_2 56_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_G CM_SHA384,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_ AES_256_GCM_SHA384,SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_RSA_ WITH_AES_256_GCM_SHA384 - Restart Sterling B2B Integrator.
Client adapters with SSL
If a client adapter is configured with a non-NIST 800-131a compliant system certificate, CA certificate, or cipher strength in strict mode, the communication to the server will fail.
If you receive an error, you must re-configure the adapter for NIST 800-131a compliance.
TLS Version
In strict mode, the parameter SSLHelloProtocolForNISTStrict in security.properties controls TLS versions used. It is set to TLS1.2-ONLY. If you are using NIST 800-131a strict compliance, you should not change this value.
If NIST 800-131a is off, the parameter SSLHelloProtocol=TLS1-TLS1.2 in security.properties controls TLS versions used and is set to TLS1.0, TLS1.1, and TLS1.2.
If you use TLS 1.2 in communication with your trading partner and client authentication for SSL is specified, the key length of the certificate used for client authentication must be at least 1024; otherwise, you will get “intended enc. msg. too short” error during the beginning of an SSL session with your trading partner. In this case, you have to upgrade certificate with the key length at least 1024.
TLS 1.2 is supported in Sterling B2B Integrator default mode, when not in NIST 800-131a compliance mode.
Mail Servers not supporting TLS 1.2
SMTP and B2B mail client adapters use the mail server for communication. If you are using a mail server that does not support TLS 1.2, when you run in NIST 800-131a strict mode, all the communications over SSL with this mail server will fail with a handshake error.