ssl-compliance

Syntax

ssl-compliance = { none | fips | sp800-131-transition | sp800-131-strict 
                 | suite-b-128 | suite-b-192 }

Description

Determines which compliance mode is enabled.

Options

none

Indicates that no special compliance modes are applied to the TLS communication protocol. This setting is equivalent to [ssl] ssl-enable-fips = no, which is a deprecated option.

fips

Enables FIPS 140-2 compliance. This setting is equivalent to [ssl] ssl-enable-fips = yes, which is a deprecated option.

sp800-131-transition

Enables NIST SP 800-131a support at the transition level. The transition level has fewer restrictions than the strict level.

sp800-131-strict

Enables NIST SP 800-131a support at the strict level. This enforcement is required by some federal agencies and enterprises that work with the federal government starting in 2014.

suite-b-128

Enables NSA Suite B at the 128-bit support level.

suite-b-192

Enables NSA Suite B at the 192-bit support level.

Usage

Required.

This setting is used for secure communication between Security Access Manager processes, secure communication from Security Access Manager to the LDAP registry servers, and secure communication from Security Access Manager to syslog servers.

When a Security Access Manager Java™ component is running in WebSphere Application Server, then WebSphere Application Server must be running with the same compliance standard as Security Access Manager. For details on configuring WebSphere Application Server for various compliance modes, see http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/index.jsp?topic=/com.ibm.iea.was_v8/was/8.0.0.3/Security/WASV8003_SecurityCryptoSignatureAlgorithm/player.html.

To configure Security Access Manager with a specific compliance, set the ssl-compliance value in pd.conf immediately before you configure the Security Access Manager policy server. The ssl-compliance option takes precedence over the deprecated ssl-enable-fips option if both are present.

Default value

none