Set up a Liberty profile to run in SP800-131a
We can set up a Liberty profile to meet the SP800-131a requirement that is originated by the National Institute of Standards and Technology (NIST).
SP800-131a requires longer key lengths and stronger cryptography. The specification also provides a transition configuration to enable users to move to a strict enforcement of SP800-131a. The transition configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP800-131a. SP800-131a can be run in two modes, transition and strict. The transition mode is offered to give user a setting to move their environment to SP800-131a strict mode. In transition mode, it is optional to use the SP800-131a required certificates and to set the protocol to SP800-131a
Strict enforcement of SP800-131a requirements on the Liberty profile includes the following:
- The use of the TLSv1.2 protocol for the SSL context.
- Certificates must have a minimum length of 2048. Elliptical Curve (EC) certificate require a minimum size of 244-bit curves.
- ◦Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid signatureAlgorithms include:
- SHA256withRSA
- SHA384withRSA
- SHA512withRSA
- SHA256withECDSA
- SHA384withECDSA
- SHA512withECDSA
If SHA384withECDSA or SHA512withECDSA is used, the unrestricted policy file needs to be in place for the IBM JDK.
- SP800-131a approved Cipher suites.
To configure a Liberty profile server to run in SP800-131a mode, users must be running with a level of the IBM JDK that supports SP800-131a. The minimal levels of the IBM JDK include Java 6 sr 10, Java 6.0.1 sr 2, or Java 7.
For more information about the SP800-131a standard, see the National Institute of Standards and Technology.
We can configure the Liberty profile to run in SP800-131a strict mode or transition mode as following:
- Configure the Liberty Profile to run in SP800-131a strict mode.
- Make sure that we are running on a level of the IBM JDK that supports SP800-131a.
- Make sure that certificates of the server meet the criteria for SP800-131a.
- Certificates have a minimum length of 2048 and Ellipical Curve (EC) certificates have a minimum size of 244-bit curve.
- Certificates are signed with at least SHA256 or signed with one of the signature algorithms listed previously.
- Configure the SSL Configuration to use the TLSv1.2 protocol. See Enable SSL communication and SSL configuration attributes for more details.
- Optional:
If Elliptical Curve (EC) ciphers are required, list them in the enabledCiphers attribute. EC ciphers are not included when cipher lists are generated using the securityLevel attribute of the SSL Configuration. For the full list of ciphers, see the Java Technology Security information.
- The Java Secure Socket Extension (JSSE) is enabled to run in SP800-131a strict mode by setting the system property com.ibm.jsse2.sp800-131 to strict. For example, -Dcom.ibm.jsse2.sp800-131=strict. See Customize the Liberty profile environment for how to set system properties in the jvm.options file.
- Configure the Liberty Profile to run in SP800-131a transition mode.
- Make sure that we are running a level of the IBM JDK that support SP800-131a.
- Optional:
If Elliptical Curve (EC) ciphers are required, list them in the enabledCiphers attribute. EC ciphers are not included when cipher lists are generated using the securityLevel attribute of the SSL Configuration. For the full list of ciphers, see the Java Technology Security information.
- The JSSE is enabled to run in SP800-131a transition mode by setting the system property com.ibm.jsse2.sp800-131 to transition. For example, -Dcom.ibm.jsse2.sp800-131=transition. See Customize the Liberty profile environment for how to set system properties in the jvm.options file.
If we change the protocol to use TLSv1.2, verify the browser supports TLSv1.2.
Parent topic: Secure communications with the Liberty profileTasks:
Customize the Liberty profile environment Enable SSL communication Reference:
National Institute of Standards and Technology
Validated FIPS 140-1 and FIPS 140-2 Cryptographic ModulesSSL configuration attributes