Configuring WebSphere Application Server for the Suite B security standard

You can configure WebSphere® Application Server to use the new Suite B security standard.

Before you begin

Read the WebSphere Application Server security standards configurations topic for more background information regarding security standards.

About this task

The National Security Agency (NSA) created a cryptographic interoperability strategy called Suite B. It places specific requirements on the National Institute of Standards and Technology (NIST) SP800-131 standard.

Suite B requirements:

WebSphere Application Server must be compliant with the following Suite B requirements:
  • SSL configuration must use the TLSv1.2 protocol.
  • The com.ibm.jsse.suiteb system property must be set to 128 or 192.
  • Certificates running in 128-bit mode must be created with the SHA256withECDSA signature algorithm. Certificates running in 192-bit mode must be created with the SHA384withECDSA signature algorithm.
    Note: To run in 192-bit mode, the unrestricted policy files must be in place on the JDK.
  • Suite B approved cipher suites must be used.

To configure the server for the Suite B standard:

Procedure

  1. Click Security > SSL certificate and key management > Manage FIPS
    To run in a Suite B mode, all of the certificates used for SSL on the server must be converted to certificates that comply with Suite B requirements.
  2. To convert certificates, under Related Items click Convert Certificates.
  3. Select the radio button labeled 128-bit or 192-bit in the Algorithm box.
    Note: Elliptical Curve signature algorithms require specific sizes, so you must provide a size.
  4. Click Apply/Save.
    If no certificates show up in the box labeled Certificates that can not be converted, then you can enable the standard.
    If certificates show up listed in the box labeled Certificates that can not be converted, the server is unable to convert the certificates for you. You must replace these certificates with ones that meet Suite B requirements. Reasons why the server cannot convert the certificates might include:
    • The certificate was created by a Certificate Authority (CA).
    • The certificate is in a read-only keystore.

    After certificates are converted to meet the Suite B specifications, follow the remaining steps to enable the Suite B standard.

  5. Click SSL certificate and key management > Manage FIPS.
  6. Select the Suite B: Accept 128 bit key for 128-bit mode or the Suite B: Accept 192 bit key for 192-bit mode.
  7. Click Apply/Save.
  8. Restart the servers and manually sync the nodes for the Suite B standard to take effect.

    When these changes are applied and the server is restarted, the SSL configurations on the server is modified to use the TLSv1.2 protocol, and the com.ibm.jsse.suiteb system property is set to the desired Suite B mode. The SSL configuration uses the appropriate SSL ciphers for the standard.

    There are wsadmin tasks also available that can enable the Suite B standard using scripting. :
    • Check the status of certificates for the security standard by using the listCertStatusForSecurityStandard task.
    • Convert certificates for the security standard by using the convertCertForSecurityStandard task.
    • Enable the security standard by using the enableFips task.
    • To see the security standard setting, use the getFipsInfo task.
  9. Once the server is configured for Suite B mode, the ssl.client.props file must be modified so that administrative clients are running in Suite B mode.
    They are unable to make a SSL connection to the server with the change. Edit the ssl.client.props file by doing the following:
    1. Modify com.ibm.security.useFIPS to be set to true.
    2. Add the com.ibm.jsse.suiteb property, and set it to 128 or 192.
    3. Change the com.ibm.ssl.protocol property to TLSv1.2.

What to do next

The Suite B standard requires that the SSL connection use the TLSv1.2 protocol. For a browser to access the administrative console or an application, the browser must support and first be configured to use the TLSv1.2 protocol.

Note: When enabling the security standards on a Network Deployed, the node and deployment manager can be in an incompatible protocol state. Since configuring the security standard requires the server to be restarted, it is recommended that all node agents and servers be stopped, leaving the deployment manager running. Once the configuration changes are made through the console, restart the deployment manager.

Manually sync the nodes with syncNode, and start the node agents and servers. To use syncNode, you might need to update the ssl.client.props file to communicate with the deployment manager.