The National Institute of Standards and Technology (NIST) Special Publications 800-131
standard strengthens algorithms and increases the key lengths to improve security. The standard also
provides for a transition period to move to the new standard. You can configure WebSphere® Application Server for SP800-131 standard transition
mode.
Before you begin
Read the
WebSphere Application Server security standards
configurations topic for more background information on security standards.
About this task
The transition period enables a user to run in a mixed environment of settings not
supported under the standard along with those that are supported. The NIST SP800-131 standard
requires that users be configured for strict enforcement of the standard by a specific time frame.
See The
National Institute of Standards and Technology website for more details.The transition
options can be useful when trying to get to strict
SP800-131. The servers can
accept a mixture old settings and new requirements. For example, they can convert certificates but
continue to use the TLS protocol.
WebSphere
Application Server can be configured to run SP800-131 in a transition
mode or a
strict
mode. For information on how to configure strict mode, read the Configuring
WebSphere Application Server for strict mode SP800-131
security standard topic.
To run in the SP800-131 transition mode, the server must be in a
specific configuration setting as well. Other strict requirements can be include as wanted.
- The com.ibm.jsse2.sp800-131 system property must be set to
transition
for the
JSSE to run in the transition mode.
- The SSL configuration protocols must be one of the TLS settings. Valid values include
TLS
, TLSv1
, TLSv1.1
, TLSv1.2
,
and TLSv1.3
.
Procedure
-
Click .
- Select the Enable SP800-131 radio button.
- Select the Transition radio button.
- You have the choice to change the protocols in SSL configuration to
TLSv1.2
by optionally selecting the Update the SSL configuration to
require TLSv1.2 box. If you do not select this box, all SSL configurations are set to
TLS
.
- Click Apply/Save.
- Restart the servers.
If your server is enabled with Dynamic SSL Updating, edit the
ssl.client.props file and change the
com.ibm.ssl.protocol
property to have the same protocol you configured the server to have before you restart the
server.
When these changes are applied, and the server is restarted, all the SSL configurations on
the server are modified to use the TLS
or TLSv1.2
protocol, and
the com.ibm.jsse2.sp800-131 system property is set to transition
. The SSL
configuration uses the appropriate SSL ciphers for the standard.
Before you can move to the
strict mode certificate, the protocol in the configuration must meet the strict
requirements.
You can go to directly to the SSL configuration and set protocols to
TLSv1.2
by doing the following:
-
Click .
- Select an SSL configuration from the collection panel.
- Under Related Items, select Quality of protection
(QoP).
- Select TLSv1.2 from the pull-down box labeled
Protocol.
- Click Apply/Save.
To change the SSL protocol by using
scripting, the
modifySSLConfig task can also be used.
Certificates must have a
minimum size of 2048 (244 if an Elliptical Curve certificate), and signed with SHA256, SHA384, or
SHA512. You can create new ones on the console and replace the old one, or import certificates that
meet the standards requirements.
There are a number of options that you can use to replace certificates.
- Use the Convert Certificate panel. This panel converts all certificates to meet the standard specified.
- Click .
Note: Certificates in the box labeled
Certificates cannot be converted with this option if:
- A chained certificate is not signed by WebSphere, such as a certificate from Certificate
Authority (CA). You must request a new certificate from Certificate Authority (CA) and replace the
existing certificate with the new certificate.
- KeyStore is read-only.
- KeyStore is a RACF keystore. WebSphere does not support conversion of certificates in RACF
keystore.
- Select the Strict radio button and choose which signatureAlgorithm to use
when creating the new certificates from the pull-down box.
- Select the size of the certificate from the pull-down box labeled New Certificate Key
Size. Note that Elliptical Curve signature algorithms require a specific size, so there
is no need to provide a size.
- Click Apply/Save.
The convertCertForSecurityStandard
scripting task can also be used to convert all certificates to meet a specified standard.
- Use the personal certificate panels to create new certificates and replace a certificate that
does not meet the requirements by doing the following:
- Click .
- Select a keystore from the collection panel.
- Select Personal Certificate.
- From the pull-down list on the Create button, select
Self-Signed Certificate.
- Enter an alias for the certificate. Select a signature algorithm for the certificate that is
signed with SHA256, SHA384, or SHA512. Choose a size that is 2048 or greater. Note that Elliptical
Curve signature algorithms require a specific size, so there is no need to specify a size.
- Click Apply/Save.
- Go back to the Personal certificate collection panel and select the certificate that does not
meet the standard. Click Replace.
- On the Replace panel, select the certificate created that meets the standard from the pull-down
list in the box labeled Replace with.
- Select Delete old certificate after replacement, and Delete
old signer boxes.
- Click Apply/Save.
Note: To replace chained certificates, a root certificate must be created that meets the standard.
Follow the previous navigation path to the root certificate in the defaultRootStore, then create a
chained certificate with that new root certificate.
The
createSelfSignedCertificate scripting task can also be used to create self-signed
certificate. The replaceCertificate scripting task can also be used to replace
the new certificate for the old one.
- Use the personal certificate panels to import certificates and to replace the certificate that
does not meet the requirements. Some certificate come from external sources such as a Certificate
Authority (CA).
- Click .
- Select a keystore from the collection panel.
- Select Personal Certificate.
- Select Import Certificate.
- Enter the information needed to access the certificate in an existing keystore file.
- Click Apply/Save.
- Go back to the Personal certificate collection panel and select the certificate that does not
meet the standard. Click the Replace button.
- On the Replace panel, select the certificate created that meets the standard from the pull-down
list in the box labeled Replace with. Select Delete old
certificate after replacement and Delete old signer boxes.
- Click Apply/Save.
The importCertificate scripting
task can also be used to import a certificate. The replaceCertificate scripting
task can also be used to replace the new certificate for the old one.
-
To enable strict SP800-131, click .
- Click the Enable SP800-131.
- Click the Strict.
- Click Apply/Save.
- Restart your servers and manually sync your nodes for the changes to take
effect.
To manually sync the nodes, you might need to modify the
ssl.client.props file for each node to match the protocol of the deployment
manager. Edit the ssl.client.props file for each node and change the
com.ibm.ssl.protocol
property to match the protocol of the deployment manager so
that a manual sync node can take place.
- Configure the client ssl.client.props file to match the Security
standard you are running in, strict mode or transition mode.
Edit the
ssl.client.props file as follows:
- Modify the
com.ibm.security.useFIPS
property to be set to true
.
- Add the
com.ibm.websphere.security.FIPSLevel
property after the useFips
property. Set the property to SP800-131 if strict mode is enabled and
transition if transition mode is enabled.
- Change the
com.ibm.ssl.protocol
property to TLSv1.2
if strict
mode is enabled. If transition mode is enabled, ensure that the property matches the server protocol
setting.
- Restart your servers and manually synchronize your nodes.
Your changes do not take effect until after the nodes are synchronized.
If you are running in a cluster environment:
- Make sure that the administrative console is shut down.
- Make sure that no JVMs are running on the server:
- Stop all of the servers.
- Stop the node agent.
- Stop the deployment manager.
- Clear all contents in the temp folders.
<profile_root>/wstemp/
<profile_root>/temp/
<profile_root>/config/temp/
<profile_root>/logs/dmgr/
<profile_root>/servers/nodeagent/configuration/
<profile_root>/servers/<server_name>/configuration/
- Initialize the OSGI configuration by running the osgiCfgInit
script.
was_profile_root/profile_name/bin/osgiCfgInit.bat
where profile_name is your dmgr01/bin profile.
- Clear the OSGI class cache by running the clearClassCache
script.
was_profile_root/profile_name/bin/clearClassCache.bat
where profile_name is your dmgr01/bin profile.
- Start the deployment manager.
- Manually synchronize the nodes.
- Start the wsadmin tool if it is not already running.
- From the
was_home/profiles/profile_name/bin, issue
the following syncNode command.
syncNode
dmgr_host dmgr_port
where
profile_name is your dmgr01/bin profile.
If security
is enabled, include the
-username and
-password parameters
when you issue this command:
syncNode
dmgr_host dmgr_port -username user_name -password
pass_word
- Start the node agent.
- Start all other servers.
What to do next
The browser used to access the administrative console or an application must use a protocol
that is compatible with the server. If the server is running in a transition mode, the browser must
be set to use the protocol that matches the server. The SP800-131 standard requires that the SSL
connection use the TLSv1.2
protocol, so the browser must support
TLSv1.2
and use it to access the administrative console.