Configuring IBM HTTP Server to support TLS 1.2 for NIST SP 800-131
To comply with the US government SP 800-131 security standard, you can configure the IBM HTTP Server to support the Transport Layer Security (TLS) 1.2 protocol.
About this task
Procedure
- Convert all certificates to the SP800-131 security standard:
- In WebSphere Application Server Integrated Solutions Console, click Security > SSL certificate and key management.
- Click Manage FIPS and then click Convert certificates.
- Ensure that the Algorithm setting is Strict.
- For the New certificate key size, select 2048 bits.
- Click OK and save directly to the master configuration.
- After conversion, you must disable SP800-131 to configure IHS by doing these steps:
- In WebSphere Application Server Integrated Solutions Console, click Security > SSL certificate and key management.
- Click Manage FIPS and then select Disable FIPS.
- Restart WebSphere Application Server node to apply the changes.
- Import the converted self signed certificate into the plugin-key.kdb file. For more information, see Importing the WebSphere Application Server certificate into the IBM HTTP Server plug-in.
- Re-enable SP800-131 in the Manage FIPS page of Integrated Solutions Console and then restart WebSphere Application Server to enforce SP800-131 Strict mode.
- In the directory where IBM HTTP Server is installed, look for the httpd.conf file.
- Open the file for editing and add the following code snippet to enable TLS 1.2. Replace
9443 with the port number that you are using for your server.
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 9443 <VirtualHost *:9443> SSLEnable SSLFIPSEnable SSLProtocolEnable TLSv12 SSLProtocolDisable SSLv2 SSLv3 TLSv1 TLSv11 SSLServerCert selfSigned KeyFile "/opt/IBM/HTTPServer/conf/webserver0.kdb" </VirtualHost>
- If your WebSphere Application
Server version is
8.5.0 and later, open the plugin-cfg.xml file and enable the custom property
StrictSecurity="true".
Note: If the IBM HTTP Server is remote, in addition to StrictSecurity="true", make sure the property FIPSEnable="true" is also set.
-
Restart the IBM HTTP Server.
Troubleshooting IBM HTTP Server
If you encounter the following errors when you configure IBM HTTP Server to support TLS 1.2, complete the steps in the related workaround documents:
Error: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414) PARTNER CERTIFICATE DN=CN=Server1,OU=CloudBurstCell_5,OU=CloudBurstNode_5,O=IBM,C=US, Serial=02:1e:ea:24:51:de:d2
Workaround document: GSK_ERROR_BAD_CERT error configuring SSL between plug-in and WebSphere Application Server V6.1
Error: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_SOCKET_CLOSED(gsk rc = 420) PARTNER CERTIFICATE DN=No Information Available, Serial=No Information Available
Workaround document: The plug-in cannot connect to an application server if it uses TLS 1.2 and is configured for strict SP800-131 compliance