+

Search Tips   |   Advanced Search

Configure WebSphere Application Server for the Suite B security standard

We can configure WebSphere Application Server to use the new Suite B security standard.

Read the "WAS security standards configurations" topic for more background information regarding security standards.

The National Security Agency (NSA) created a cryptographic interoperability strategy called Suite B. It places specific requirements on the National Institute of Standards and Technology (NIST) SP800-131 standard.


Suite B requirements:

WebSphere Application Server must be compliant with the following Suite B requirements:

To configure the server for the Suite B standard:

  1. Click Security > SSL certificate and key management > Manage FIPS To run in a Suite B mode, all of the certificates used for SSL on the server must be converted to certificates that comply with Suite B requirements.

  2. To convert certificates, under Related Items click Convert Certificates.

  3. Select the radio button labeled 128-bit or 192-bit in the Algorithm box.

    Elliptical Curve signature algorithms require specific sizes, so provide a size.

  4. Click Apply/Save. If no certificates show up in the box labeled Certificates that can not be converted, then we can enable the standard.

    If certificates show up listed in the box labeled Certificates that can not be converted, the server is unable to convert the certificates for you. Replace these certificates with ones that meet Suite B requirements. Reasons why the server cannot convert the certificates might include:

    • The certificate was created by a Certificate Authority (CA).

    • The certificate is in a read-only keystore.

    After certificates are converted to meet the Suite B specifications, follow the remaining steps to enable the Suite B standard.

  5. Click SSL certificate and key management > Manage FIPS.

  6. Select the Suite B: Accept 128 bit key for 128-bit mode or the Suite B: Accept 192 bit key for 192-bit mode.

  7. Click Apply/Save.

  8. Restart the servers and manually sync the nodes for the Suite B standard to take effect.

    When these changes are applied and the server is restarted, the SSL configurations on the server is modified to use the TLSv1.2 protocol, and the com.ibm.jsse.suiteb system property is set to the desired Suite B mode. The SSL configuration uses the appropriate SSL ciphers for the standard.

    There are wsadmin tasks also available that can enable the Suite B standard . :

    • Check the status of certificates for the security standard using the listCertStatusForSecurityStandard task.

    • Convert certificates for the security standard using the convertCertForSecurityStandard task.

    • Enable the security standard using the enableFips task.

    • To see the security standard setting, use the getFipsInfo task.

  9. Once the server is configured for SP800-131 strict mode, ssl.client.props must be modified so that administrative clients are running in SP800-131 strict mode. They are unable to make an SSL connection to the server with the change. Edit ssl.client.props by doing the following:

    1. Modify com.ibm.security.useFIPS to be set to true.

    2. Add the com.ibm.jsse.suiteb property, and set it to 128 or 192.

    3. Change the com.ibm.ssl.protocol property to TLSv1.2.


What to do next

The Suite B standard requires the SSL connection use the TLSv1.2 protocol. For a browser to access the administrative console or an application, the browser must support and first be configured to use the TLSv1.2 protocol.

When enabling the security standards on a Network Deployed, the node and deployment manager can be in an incompatible protocol state. Since configuring the security standard requires the server to be restarted, IBM recommends that all node agents and servers be stopped, leaving the deployment manager running. Once the configuration changes are made through the console, restart the deployment manager.

Manually sync the nodes with syncNode, and start the node agents and servers. To use syncNode, we might need to update ssl.client.props to communicate with the deployment manager.


Related concepts

  • WAS security standards configurations


    Related tasks

  • Configure WebSphere Application Server for SP800-131 standard strict mode
  • Transition WebSphere Application Server to the SP800-131 security standard
  • Configure Federal Information Processing Standard Java Secure Socket Extension files

  • FIPSCommands (AdminTask)