Configuring compliance for NIST SP 800-131A in the database server and client

Edit online

You can configure the IBM® Engineering Requirements Management DOORS® (DOORS ) database server and client to communicate over secure sockets in compliance with the National Institute of Standards and Technology Special Publications (NIST SP) 800-131A standard.

Before you begin

Back up your computer registry before you do this procedure.

About this task

The NIST SP 800-131A standard specifies algorithms to use to strengthen security and encryption strengths. In strict mode, all communications must conform to SP 800-131A. For example, if the DOORS client does not use strict mode but the DOORS server does, the server cannot authenticate users by using certificate login. Strict mode requires Transport Layer Security (TLS) 1.2 protocol and SHA2 certificates. To strengthen strict mode, you can require that the full certificate chain, and not only the end certificate, is checked for SHA2 certificates.

This configuration is optional. It might impact performance, and it might require new certificates.

Important: If an invalid combination of settings is entered in the registry, the database server might appear to be started as a Windows service. But clients cannot connect to the server and the service cannot be stopped by using the Services control panel. You can stop the doorsd.exe process by using Task Manager.
Note: You must set Internet Explorer to use TLS v1.2 if you want to use strict (SP800-131A) encryption in the DOORS client. Only Internet Explorer v8 and later support TLS v1.2. In Internet Explorer, select Tools > Internet Options . On the Advanced tab, scroll to the Security section and mark the TLS 1.2 checkbox.
Table 1. Command line switches
Switch Description
-sp800-131 When this switch is used alone, it enforces strict compliance. To strengthen this switch, use the additional, optional switch.
-strictSha2 This option strengthens strict mode by requiring that the full certificate chain, and not only the end certificate, is checked for SHA2 certificates. For example, a DOORS server that uses an SHA2 certificate that has an SHA1 root can start in secure mode if only SP 800-131A is used. However, if both SP 800-131A and strictSha2 are specified, the server cannot start in secure mode.

Procedure

To configure the DOORS client and database server to comply with NIST SP 800-131A:

  1. Open a command line and then start the database server and enter options from the table by using the doorsd command.
    For example, doorsd -sp800-131 -strictSha2
  2. From the command line, start the client and enter options from the table by using the doors command. 
    doors -sp800-131 -strictSha2
    For example, doors -sp800-131 -strictSha2
  3. Open your computer registry and navigate to one of the following locations:

    For 9.7.2.10 and earlier versions,

    • 64-bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\Telelogic\DOORS\9.7\Config
    • 32-bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Telelogic\DOORS_Server\9.7\Config
    For 9.7.2.11 and later versions,
    • DOORS Client (64-bit OS): HKEY_LOCAL_MACHINE\SOFTWARE\Telelogic\DOORS\9.7\Config
    • DOORS Server (64-bit OS): HKEY_LOCAL_MACHINE\SOFTWARE\Telelogic\DOORS_Server\9.version\Config
  4. Add the following string values to this section with the corresponding value data:
    Table 2. Registry values and data
    String value Value data
    strictSha2 true
    sp800-131 true
    certName <certificate name>*
    *The certName string value identifies the label of the certificate that identifies the server during secure authentication. The default label is IBMSV1.
  5. Stop and start the DOORS database server.