Configuring compliance for Suite B in IBM Security Guardium Key Lifecycle Manager

You can configure IBM® Security Guardium® Key Lifecycle Manager to comply with standards that are specified by the US National Security Agency (NSA) to define security requirements for encryption.

About this task

Date Change description
01 Mar 2021 Included reference to information for IBM Security Guardium Key Lifecycle Manager container. Refreshed only the English language content.
08 Dec 2020 Initial version.

To configure Suite B compliance in IBM Security Guardium Key Lifecycle Manager container, see Update Security Configurations REST Service.

To enable Suite B compliance in IBM Security Guardium Key Lifecycle Manager traditional, you must configure the SKLMConfig.properties properties file with the following option.
suiteB=128|192
When you configure suiteB with the value 128 or 192, the following properties are added to the properties file, or updated, if they already exist.
TransportListener.ssl.protocols=TLSv1.2
requireSHA2Signatures=true
autoScaleSignatureHash=true
useThisECKeySize=256(if suiteB is 128)|384(if suiteB is 192)

Procedure

  1. Set the following property in the SKLM_HOME/config/SKLMConfig.properties file. 
    suiteB=128|192
    • The value 128 specifies the 128-bit minimum level of security.
    • The value 192 specifies the 192-bit minimum level of security.
    Command-line interface
    1. Go to the WAS_HOME/bin directory. For example,
      Windows
      cd drive:\Program Files\IBM\WebSphere\AppServer\bin
      Linux®
      cd /opt/IBM/WebSphere/AppServer/bin
    2. Start the wsadmin interface by using an authorized user ID, such as SKLMAdmin. For example,
      Windows
      wsadmin.bat -username SKLMAdmin -password mypwd -lang jython
      Linux
      ./wsadmin.sh -username SKLMAdmin -password mypwd -lang jython
    3. Run the tklmConfigUpdateEntry command to set suiteB property in the SKLMConfig.properties configuration file.
      print AdminTask.tklmConfigUpdateEntry ('[-name suiteB -value 128|192]')
    REST interface
    1. Open a REST client.
    2. Obtain a unique user authentication identifier to access IBM Security Guardium Key Lifecycle Manager REST services. For more information about the authentication process, see Authentication process for REST services.
    3. Run Update Config Property REST Service to set suiteB property in the SKLMConfig.properties configuration file. Pass the user authentication identifier that you obtained in Step b along with the request message as shown in the following example.
      PUT https://localhost:port/SKLM/rest/v1/configProperties
Content-Type: application/json
Accept : application/json
Authorization: SKLMAuth userAuthId=139aeh34567m
Accept-Language : en
{ "suiteB" : "128|192"}
  2. Restart the server.

What to do next

Select a certificate that uses the ECDSA algorithm because Suite B compliance requires ECDSA certificate for the TLS communication to work.

If a certificate with the ECDSA algorithm is not available, create a new certificate. For more information, see Creating a server certificate.