You can configure WebSphere® Application
Server to use the new Suite B security standard.
Before you begin
Read the WebSphere Application
Server security standards configurations
topic for more background
information regarding security standards.
About this task
The National Security Agency (NSA) created a cryptographic
interoperability strategy called Suite B. It places specific requirements
on the National Institute of Standards and Technology (NIST) SP800-131
standard.
Suite B requirements:
WebSphere Application Server must be compliant
with the following Suite B requirements:
To configure the server for the Suite B standard:
Procedure
- Click Security > SSL certificate and key management
> Manage FIPS
To run in a Suite B mode, all of the
certificates used for SSL on the server must be converted to certificates
that comply with Suite B requirements.
- To convert certificates, under Related Items click Convert
Certificates.
- Select the radio button labeled 128-bit or 192-bit in
the Algorithm box.
Note: Elliptical Curve signature algorithms
require specific sizes, so you must provide a size.
- Click Apply/Save.
If no
certificates show up in the box labeled
Certificates that can not
be converted, then you can enable the standard.
If certificates
show up listed in the box labeled
Certificates that can not be
converted, the server is unable to convert the certificates for
you. You must replace these certificates with ones that meet Suite
B requirements. Reasons why the server cannot convert the certificates
might include:
- The certificate was created by a Certificate Authority (CA).
- The certificate is in a read-only keystore.
After certificates are converted to meet the Suite B specifications,
follow the remaining steps to enable the Suite B standard.
- Click SSL certificate and key management > Manage FIPS.
- Select the Suite B: Accept 128 bit key for 128-bit
mode or the Suite B: Accept 192 bit key for 192-bit mode.
- Click Apply/Save.
- Restart the servers and manually sync the nodes for the
Suite B standard to take effect.
When these changes
are applied and the server is restarted, the SSL configurations on
the server is modified to use the TLSv1.2 protocol, and the com.ibm.jsse.suiteb
system property is set to the desired Suite B mode. The SSL configuration
uses the appropriate SSL ciphers for the standard.
There are
wsadmin tasks also available that can enable the Suite B standard
using scripting. :
- Check the status of certificates for the security standard by
using the listCertStatusForSecurityStandard task.
- Convert certificates for the security standard by using the convertCertForSecurityStandard
task.
- Enable the security standard by using the enableFips task.
- To see the security standard setting, use the getFipsInfo task.
- Once the server is configured for Suite B mode, the ssl.client.props
file must be modified so that administrative clients are running in Suite B mode.
They are unable to make a SSL connection to the server with the change. Edit the
ssl.client.props file by doing the following:
- Modify com.ibm.security.useFIPS to be set to
true
.
- Add the com.ibm.jsse.suiteb property, and set it to 128 or 192.
- Change the com.ibm.ssl.protocol property to TLSv1.2.
What to do next
The Suite B standard requires that the SSL connection
use the TLSv1.2 protocol. For a browser to access the administrative
console or an application, the browser must support and first be configured
to use the TLSv1.2 protocol.
Note: When enabling the security
standards on a Network Deployed, the node and deployment manager can
be in an incompatible protocol state. Since configuring the security
standard requires the server to be restarted, it is recommended that
all node agents and servers be stopped, leaving the deployment manager
running. Once the configuration changes are made through the console,
restart the deployment manager.
Manually sync the nodes
with syncNode, and start the node agents and servers. To use syncNode,
you might need to update the ssl.client.props file
to communicate with the deployment manager.