NIST SP 800-131A compliance and LDAP
The Db2® Cancun Release adds NIST SP 800-131A compliance. If you are required to comply with NIST SP 800-131A, you must configure your LDAP environment.
An LDAP plug-in, and an LDAP server is strictly compliant with
NIST SP 800-131A when:
- The TLSV12 is enabled in an LDAP security plug-in.The following database manager configuration parameters are set to the following values:
SRVCON_PW_PLUGIN = IBMLDAPauthserver CLNT_PW_PLUGIN = IBMLDAPauthclient GROUP_PLUGIN = IBMLDAPgroups
The IBMLDAPSecurity.ini file specifies only TLSV12:LDAP_HOST = myhost SSL_KEYFILE = /home/xxx/sqllib/cfg/IBMLDAPSecurity.kdb SSL_PW = mypassword ENABLE_SSL = true FIPS_MODE = true SECURITY_PROTOCOL = TLSV12
- The LDAP server is NIST SP 800-131A compliant when the IBMSLAPD_SECURITY_PROTOCOL is set to TLS12. That ensures other protocols such as SSL 3.0, TLS 1.0 and TLS 1.1 are disabled. The LDAP server must also set IBMSLAPD_SSL_EXTN_SIGALG to an appropriate value to ensure certificates with valid signature and hash algorithms are used.
With valid configuration in both the LDAP client and server, communication between Db2 LDAP security plug-ins and the LDAP server are NIST SP 800-131A compliant.