Configuring WebSphere Application Server for SP800-131 standard strict mode

You can configure WebSphere® Application Server to use the SP800-131 standard strict mode.

Before you begin

Read the WebSphere Application Server security standards configurations topic for more background information regarding security standards.

About this task

The National Institute of Standards and Technology (NIST) Special Publications (SP) 800-131 standard strengthens algorithms and increases the key lengths to improve security. The standard also provides for a transition period to move to the new standard. The transition period enables a user to run in a mixed environment of settings not supported under the standard along with those that are supported. The NIST SP800-131 standard requires that users be configured for strict enforcement of the standard by a specific timeframe. See The National Institute of Standards and Technology web site for more details.

WebSphere Application Server can be configured to run SP800-131 in a transition mode or a strict mode. For instructions on how to configure transition mode, read the topic Transitioning WebSphere Application Server to the SP800-131 Security Standard.

To run in strict mode, there are several changes necessary to the server configuration:
  • Secure Sockets Layer (SSL) configuration must use the TLSv1.2 protocol.
  • The com.ibm.jsse2.sp800-131 system property must be set to strict for the JSSE to run in a strict SP800-131 mode.
  • Certificates used for SSL communication must have a minimum length of 2048, and for Elliptical Curve (EC) certificates they must have a minimum length of 244.
  • Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512.
  • SP800-131 approved cipher suites must be used.
.
Important: Supported signatures algorithm suites that use SHA-256 should apply to the whole certificate chain. That is, certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512 and supported signatures algorithm suites that use SHA256, SHA384, or SHA512 should apply to the whole certificate chain.

Procedure

  1. Click Security > SSL certificate and key management > Manage FIPS
    To run in a strict SP800-131 mode, all of the certificates used for SSL on the server must be converted to certificates that comply with the SP800-131 requirements.
  2. To convert certificates, under Related Items, click Convert Certificates.
  3. Select the radio button marked Strict, and choose which signatureAlgorithm to use when creating the new certificates from the pull-down box.
  4. Select the size of the certificate from the pull-down box labeled New Certificate Key Size.
    Note: If you choose an Elliptical Curve signature algorithm, they require specific sizes; you are not able to fill in a size. The correct size is used instead.
  5. If no certificates are displayed in the box labeled Certificates that can not be converted, click Apply/Save.
  6. If certificates are displayed in the box labeled Certificates that can not be converted, the server is unable to convert the certificate for you. You must replace these certificates with ones that meet SP800-131 requirements.
    Reasons why the server can not convert a certificate for you include:
    • The certificate was created by a Certificate Authority (CA)
    • The certificate is in a read only keystore

    Once certificates are converted to meet the SP800-131 specification, perform the following steps to enable SP800-131 strict mode.

  7. Click SSL certificate and key management > Manage FIPS.
  8. Enable the radio button labeled Enable SP800-131.
  9. Enable the radio button labeled Strict.
  10. Click Apply/Save.
  11. Restart the servers and manually sync the nodes for the SP800-131 strict mode to take effect.

    When these changes are applied, and the server is restarted, all of the SSL configuration on the server are modified to use the TLSv1.2 protocol and the com.ibm.jsse2.sp800-131 system property is set to strict. The SSL configuration uses the appropriate SSL ciphers for the standard.

    There are several wsadmin tasks that can be used to enable strict SP800-131 using scripting
    • Check the status of certificates for the security standard by using the listCertStatusForSecurityStandard task.
    • Convert certificates for the security standard by using the convertCertForSecurityStandard task.
    • Enable the security standard by using the enableFips task.
    • To see the security standard setting, use the getFipsInfo task.
  12. Once the server is configured for SP800-131 strict mode, the ssl.client.props file must be modified so that the admininstrative client is running in SP800-131 strict mode.
    They are not able to make a SSL connection to the server without the change.
    Edit the ssl.client.props file by doing the following:
    1. Modify com.ibm.security.useFIPS to be set to true.
    2. Add com.ibm.websphere.security.FIPSLevel=SP800-131 following the useFips property.
    3. Change the com.ibm.ssl.protocol property to TLSv1.2.

What to do next

The SP800-131 standard strict mode requires that the SSL connection use the TLSv1.2 protocol. For a browser to access the administrative console or an application, the browser must support and first be configured to use the TLSv1.2 protocol.
Avoid trouble: When enabling the security standards on a Network Deployment version of the product, the node and deployment manager can be in an incompatible protocol state. Since configuring the security standard requires the server to be restarted, it is recommended that all node agents and servers be stopped, leaving the deployment manager running. Once the configuration changes are made through the console, restart the deployment manager.

Manually sync the nodes with syncNode, and start the node agents and servers. To use syncNode, you might need to update the ssl.client.props file to communicate with the deployment manager.