You can configure physical MDM runtime to use the SP800-131
security standard.
To set up physical MDM runtime integration with the engine,
take the following steps based on the component type:
- Configure the Management Agent by editing the ssl.client.props file
taking these steps:
- Modify com.ibm.security.useFIPS to
be set to
true.
- Add com.ibm.websphere.security.FIPSLevel=SP800-131 just
below the
use-Fips property.
- Change the com.ibm.ssl.protocol property
to
TLSv1.2.
Note: The Management Console and Agent must be installed
and running on the same host (local to each other) to meet NIST compliancy,
because they do not communicate over SSL to each other. Only the Management
Agent has the capability to communicate over SSL/TLSv1.2 with the
operational server.
- Configure the Batch Processor by editing the ssl.client.props file
by taking these steps:
- Modify com.ibm.security.useFIPS to
be set to
true.
- Add com.ibm.websphere.security.FIPSLevel=SP800-131 just
below the
use-Fips property.
- Change the com.ibm.ssl.protocol property
to
TLSv1.2.
- Configure the Event Manager by editing the ssl.client.props file
by taking these steps:
- Modify com.ibm.security.useFIPS to
be set to
true.
- Add com.ibm.websphere.security.FIPSLevel=SP800-131 just
below the
use-Fips property.
- Change the com.ibm.ssl.protocol property
to
TLSv1.2.
-
Configure the Administration User Interface by following the instructions in the Configuring
WebSphere Application Server for SP800-131 standard strict mode topic (see the link in related
information).
What to do next
In the event that the SSL handshake fails while running any
of these clients, you may need to manually retrieve the signer certificates
from the server to be able to communicate with the WebSphere® Application
Server.
For more info on this task see the documentation on the retrieveSigners
command for WebSphere Application
Server. Note: You may need to accept signer certificates from both the
Cell, the Node, or both; for example, CellDefaultTrustStore or NodeDefaultTrustStore.