Using CLA2 in NIST 800-131a compliance mode
CLA2 supports NIST 800-131a compliance when used in compliance for NIST 800-131a mode.
- When installing Sterling B2B Integrator v6.1.0 Fix Pack 2, new certificates are created to support CLA2 for NIST 800-131a compliance.
- If you are upgrading from Sterling B2B Integrator v6.1.0 Fix Pack 1, any certificates that are non-compliant with NIST 800-131a are replaced with new, compliant certificates when Fix Pack 2 is applied.
- If you are upgrading from a Fix Pack that does not have CLA2 SSL implemented, new certificates are created.
Certificate Changes
In order to maintain compliance, the cla2ssl, private key certificate for SSL and the cla2auth, public certificate for command signature verification were changed to include a key length of 2048 bits and a default signing algorithm name for server authentication to: SHA256withRSA.
TLS Version
The default version of TLS protocol used is TLS 1.0; however, if you are using NIST 800-131a strict mode, you must use the TLS protocol version TLS 1.2.
CLA2 Server Changes
CmdLine2server.properties – “NIST.800-131a = off | strict“CLA2 Communication
If you are in strict mode, the communication should only be configured with IBM NIST 800-131a compliant JDK. Both the client and server should be on the same mode (whether NIST 800-131a compliance is on or off), and any mismatch will cause a communication failure. The certificates used for authentication and the SSL setup must be NIST 800-131a compliant.
Runtime
When using CLA2 communication, security parameters, such as certificates and underlying JDK must be configured correctly. If the adapter used is configured with non-NIST 800-131a compliant certificates, an error appears on the information page highlighted in red with a message Not NIST SP800-131a compliant.