NIST SP 800-131A compliance and LDAP

The Db2® Cancun Release adds NIST SP 800-131A compliance. If you are required to comply with NIST SP 800-131A, you must configure your LDAP environment.

An LDAP plug-in, and an LDAP server is strictly compliant with NIST SP 800-131A when:

The TLSV12 is enabled in an LDAP security plug-in.

The following database manager configuration parameters are set to the following values:

SRVCON_PW_PLUGIN = IBMLDAPauthserver
CLNT_PW_PLUGIN   = IBMLDAPauthclient
GROUP_PLUGIN     = IBMLDAPgroups

The IBMLDAPSecurity.ini file specifies only TLSV12:

LDAP_HOST         = myhost
SSL_KEYFILE       = /home/xxx/sqllib/cfg/IBMLDAPSecurity.kdb
SSL_PW            = mypassword
ENABLE_SSL        = true
FIPS_MODE         = true
SECURITY_PROTOCOL = TLSV12

The LDAP server is NIST SP 800-131A compliant when the IBMSLAPD_SECURITY_PROTOCOL is set to TLS12. That ensures other protocols such as SSL 3.0, TLS 1.0 and TLS 1.1 are disabled. The LDAP server must also set IBMSLAPD_SSL_EXTN_SIGALG to an appropriate value to ensure certificates with valid signature and hash algorithms are used.

With valid configuration in both the LDAP client and server, communication between Db2 LDAP security plug-ins and the LDAP server are NIST SP 800-131A compliant.