The National Institute of Standards
and Technology (NIST) published Special Publications 800-131a (SP800-131a).
The publication defines a standard for levels of data protection with
transport layer security (TLS). Complete the steps in this task to
configure NIST SP800-131a for .NET applications in WebSphere® eXtreme Scale.
Before you begin
The following levels of support are required to configure
.NET applications for NIST SP800-131a compliance:
- You must configure both catalog and container servers to support
NIST SP800-131a algorithms.
- For your information only, the latest required
algorithms for NIST SP800-131a compliance were added to Windows 2008, Windows Vista and later such as Windows Server 2008 R2 and Windows Server 2012 R2.
- The required TLSv1.1 and TLS v1.2 protocols are only supported
by the .NET Framework 4.5 or later.
- The .NET client supports .NET Framework 3.5 and 4.0; however,
NIST SP800-131a compliance with those .NET Frameworks is not possible.
About this task
Specify a transport encryption protocol that supports NIST SP800-131a compliance.
Encryption, hashing, and signing algorithms that are used by the negotiated transport encryption
protocol, TLSv1.2, use only FIPS-compliant algorithms in the .NET
Framework.NIST SP800-131a compliance depends on the WebSphere eXtreme Scale server configuration. The client relies on the server to enforce successful SSL handshakes that
use only NIST-compliant algorithms. The client does not check the server certificate for compliance.
Instead, the client relies on the server to verify the algorithms and strengths that were used to
create the server certificate.
Procedure
- Edit the client properties file and set the transportType property
to SSL-Required; for example:
transportType=SSL-Required
- Edit the client properties file, and specify valid values
for the transport protocol for NIST SP 800-131 compliance.
For example, for SP800-131a transition mode, set the
protocol property
to
TLSv11:
protocol=Tlsv11
For example, for SP800-131a strict mode, set the
protocol property
to
TLSv12:
protocol=Tlsv12
Important: The setting, TLSv12, is required for
NIST SP 800-131 strict compliance. A connection timeout exception
occurs when the .NET runtime framework is lower than .NET Framework
4.5.
When the transport encryption is set to either
TLSv11 or TLSv12, the configuration does not revert to any prior version
of TLS or SSL. The server transport encryption protocol must exactly
match the .NET client protocol.
- Configure the Windows operating system to use only FIPS-compliant
algorithms.
Important: In addition to encrypting
your .NET applications, enabling FIPS-compliant algorithms encrypts
your entire Windows operating
system. Other Windows applications
can connect only to applications and systems that use FIPS-compliant
algorithms. If a Windows application
attempts to connect to a non-FIPS compliant system, the connection
fails.
- Click .
- Type secpol.msc.
- Locate the System Cryptography: Use FIPS-compliant
algorithms for encryption, hashing, and signing policy
folder.
- Right-click the folder and select Properties.
In most Windows environments,
this policy is in the folder.
- Click Enabled.
- Click OK and Apply.
- Restart the .NET applications to enable FIPS-compliant
security algorithms.
What to do next
Check the log file for your .NET application to make sure
that NIST security policy is enabled.