Security certificates

You can choose between different security certificates before you install Sterling B2B Integrator: the default self-signed SSL (Secure Sockets Layer) certificate that is automatically generated by the installation or a Certificate Authority-related certificate that you generate before you install the software.

If you install with the default SSL certificate, but you later want to switch to a CA-related certificate, you can change the certificate with the sslCert property in the noapp.properties_platform_ifcresources_ext.in file.

Some of the important considerations when using certificates are given below:

TLS version

Ensure that only TLS1.2 is used for certificate-based encryption. Other valid options are TLS 1.0, TLS 1.1
Ensure that NIST.800-131a=strict mode is set. If NIST strict mode is not enabled, then each interface will have to be validated individually.

HSM certificates

Store all active system certificates on an HSM. Sterling B2B Integrator supports the following HSM devices: SafeNet Luna SA nCipher and nShield Connect.
By default, all system certificates are stored in a database and protected by a system passphrase.
Sterling B2B Integrator stores an entry in the CERTS_AND_PRI_KEY table for each key pair and certificate.
```
select * from CERTS_AND_PRI_KEY where NOT_AFTER > sysdate;
KEY_STORE_TYPE !-= SCIKS
```
Related documentation: Hardware Security Module (HSM)

Certificate for document encryption

The system uses a predefined certificate (doccrypto) to encrypt documents. Change the default certificate and use an HSM-based certificate for encrypting documents.
Related documentation: Document Encryption

CRL validation

Enable Certificate Revocation List validation for trusted and CA certificates.
By enabling CRL validation, Sterling B2B Integrator will check the CRL server of the CA certificate to see if the certificate has been revoked. If the server is unable to find the CRL of the certificate, the validation continues. If the certificate is revoked, the server suspends the user and no further transactions are allowed.
Query the CRL_INFO table, which contains the CRL details, to list all certificates that has been revoked.
```
Select * from CRL_INFO
```

OCSP

Enable Online Certificate Status Protocol support for certificate validation. Similar to CRL, OCSP is used to check if certificates have been revoked.
Configuration details are is stored in the table OCSP_RESPONDER.
Execute the script ""./ManageOCSPResponder.sh"" from the bin directory to list all current configurations.
The CERTS_AND_PRI_KEY and TRUSTED_CERT_INFO tables should have valid values in the OCSP column.
Related documentation: Online Certificate Status Protocol (OCSP)

Proxy servers

Proxy servers should be secured with TLS1.2 and must be validated via DB lookup.

SSL/TLS - RFC 5746 compliance

Ensure that remote clients and servers are RFC 5746 compliant.
Set this property in the security.properties file to BOTH to force all negotiations to require RFC 5746 - com.ibm.jsse2.extended.renegotiation.indicator. This ensures that the server or client connects only if the peer indicated support for RFC 5746 renegotiation.
Ensure that you allow only secured RFC 5746 renegotiations. This setting is enabled by default in the security.properties file with the value com.ibm.jsse2.renegotiate=NONE. Any other value is a less secure configuration.
You can also set this parameter in the customer_overrides.properties file - security.com.ibm.jsse2.renegotiate=NONE. This takes precedence over the value specified in the security.properties file.
You must also ensure that the peer support setting comply with what is specified in RFC 5746. Use this property to change the renegotiation ability of IBM JSSE2 to require the peer support that is specified in RFC 5746. Set the following parameter in customer_overrides.properties file - security.com.ibm.jsse2.renegotiation.peer.cert.check=ON.
Related documentation: SSL/TLS renegotiation (V5.2.6 or later)

SSL/TLS - CBC protection

Ensure that CBC Protection is enabled.
In Sterling B2B Integrator V5.2.6 and higher, ensure that all instances of jsse.enableCBCProtection are set to true in all tmp.sh* files.
In Sterling B2B Integrator v5.2.5 and lower, ensure that -DDisableSSLEmptyRecords=true is NOT present in the tmp.sh* files in the bin directory.
For SSH protocol ensure the supportCBCCipher parameter is set to false.

Common Name checking

You can opt for the additional authentication that is performed by checking the common name in the certificate against the server's fully qualified domain name from a reverse Domain Name Server (DNS) lookup where the server's fully qualified domain name can be obtained. For more information, see About Implementing SSL in Sterling B2B Integrator.

Certificates validation in Auth Chain

Ensure that full Auth Chain checking is performed before a certificate is used. If a chain of trust cannot be constructed using valid certificates, the certificate is not used.
```
Select * from CA_CERT_INFO where verify_on_use 
not like '%authchain%'
```
For more information, see Certificate Validation in Auth Chain for NIST 800-131a compliance mode.

Validity checking of certificates

Verify that the validity period of the certificate are still valid. If the validity has expired, the certificate is not used.
```
Select * from CA_CERT_INFO where verify_on_use 
not like '%validity%'
```

Enable TLS support for the GPM

The noapp.properties_platform_ifcresources_ext and noapp.properties_platform_ifcresources_ext.in files should contain the default jsseProtocol=TLS1.2 parameter.
It is recommended that you update both these files at the same time or update thecustomer_overrides.properties file to add overrides using the noapp.jsseProtocol=TLS1.2 parameter.

Disable insecure administration interfaces

Enable automatic redirect to HTTPS so that insecure administration interfaces are not used.
Set the following parameter values in the customer_overrides.properties file to automatically redirect a user to the HTTPS instance of the web application:
```
HTTPS_REDIRECT_WARS=admin,dashboard,gbm,communitymanagement,myaft,portlets 
HTTPS_LIST_PORT=<http_server_adapter_port or base_ssl_port>
```
Related documentation: Enable Auto-Redirect to HTTPS

Enable client certificate checking

Enable client authentication for the respective clients. By default, only server authentication is enabled. Client authentication is performed when a server sends a certificate request to a client during the handshake. If the client certificate or chain is verified and the certificate verify message is verified, the handshake proceeds further.

Cipher Suites

Before you use Sterling B2B Integrator, you should review the available, predefined cipher lists and customize them according to your company's security requirements.
Sterling B2B Integrator supports only RSA keys for SSL layer encryption.
The IBM recommended signature algorithm is SHA256withRSA and SSH key format is RSA.
Cipher strengths are configured in security.properties or in customer_overrides.properties. You must select StrongCipherSuite (UI selection is STRONG) to add supported strong cipher suites you want to use with Sterling B2B Integrator.

The following ciphers are currently defined within the application as "strong" ciphers:

StrongTLS1.2OnlyCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256

The SQL query varies based on the protocol, but the keys will be in the name/value columns in the following queries:

select * from service_instance si inner join service_inst_parms sip on 
si.service_id=sip.service_id and si.parm_version=sip.parm_version 
where def_name = 'CDSERVER_ADAPTER';

select * from service_instance si inner join service_inst_parms sip on 
si.service_id=sip.service_id and si.parm_version=sip.parm_version 
where def_name = 'HttpServerAdapter';

select * from service_instance si inner join service_inst_parms sip on 
si.service_id=sip.service_id and si.parm_version=sip.parm_version 
where def_name = 'FtpServerAdapter';

select * from service_instance si inner join service_inst_parms sip on 
si.service_id=sip.service_id and si.parm_version=sip.parm_version 
where def_name = 'SFTPServerAdapter';

select * from service_instance si inner join service_inst_parms sip on 
si.service_id=sip.service_id and si.parm_version=sip.parm_version 
where def_name = 'SWIFTNet7ServerService';

select * from service_instance si inner join service_inst_parms sip on 
si.service_id=sip.service_id and si.parm_version=sip.parm_version 
where def_name = 'EBICSServerService';

Message Digest

Use secure hash algorithms, namely SHA2 and SHA512, to verify the integrity of data through message digest.