Transition WebSphere Application Server to the SP800-131 security standard

Transition WebSphere Application Server to the SP800-131 security standard

The National Institute of Standards and Technology (NIST) Special Publications 800-131 standard strengthens algorithms, and increases key lengths to improve security. The standard also provides for a transition period to move to the new standard. We can configure WebSphere Application Server for SP800-131 standard transition mode.
Read the WAS security standards configurations topic for more background information regarding security standards.
The transition period enables a user to run in a mixed environment of settings not supported under the standard along with those that are supported. The NIST SP800-131 standard requires that users be configured for strict enforcement of the standard by a specific timeframe. See The National Institute of Standards and Technology web site for more details.
The transition options can be useful when trying to get to strict SP800-131. The servers can accept a mixture old settings and new requirements. For example. they can convert certificates but continue to use the TLS protocol.
WAS can be configured to run SP800-131 in a transition mode or a strict mode.
To run in the SP800-131 transition mode, the server must be in a specific configuration setting as well. Other strict requirements can be include as wanted.

The com.ibm.jsse2.sp800-131 system property must be set to transition for the JSSE to run in the transition mode.
The SSL configuration protocols must be one of the TLS settings. Valid values include TLS, TLSv1, TLSv1.1, and TLSv1.2.

Procedure
Click...
Security | SSL certificate and key management | Manage FIPS | Enable SP800-131 (radio button)

Select the Transition radio button.

Optionally require TLSv1.2 protocol by selecting box...
Update the SSL configuration to require TLSv1.2

If not selected, all SSL configurations are set to TLS.

Click Apply/Save.

Restart the servers.
Before restarting the server, if the server is enabled with Dynamic SSL Updating, edit ssl.client.props and change com.ibm.ssl.protocol to the new protocol we configured.
When these changes are applied, and the server is restarted, all of the SSL configuration on the server are modified to use the TLS or TLSv1.2 protocol, and the com.ibm.jsse2.sp800-131 system property is set to transition. The SSL configuration uses the appropriate SSL ciphers for the standard.
Before we can move to the strict mode certificate, the protocol in the configuration must meet the strict requirements.
We can go to directly to the SSL configuration and set protocols to TLSv1.2.
Security | SSL certificate and key management | SSL Configurations | SSL configuration | Related Items | Quality of protection (QoP)

Select TLSv1.2 from the pull-down box labeled Protocol

Click Apply/Save.
To change the SSL protocol, the modifySSLConfig task can also be used.
Certificates must have a minimum size of 2048 (244 if an Elliptical Curve certificate), and signed with SHA256, SHA384, or SHA512. We can create new ones on the console and replace the old one, or import certificates that meet the standards requirements.
There are a number of options we can use to replace certificates.

Use the Convert Certificate panel.
This panel converts all certificates to meet the standard specified.

Click...
Security | SSL certificate and key management | Manage FIPS | Convert Certificate

If there are any certificates in the box labeled...
Certificates that can not be converted

...then a certificate can not be converted using this option.

Select the Strict radio button and choose which signatureAlgorithm to use when creating the new certificates from the pull-down box.

Select the size of the certificate from the pull-down box labeled New Certificate Key Size.
Note that Elliptical Curve signature algorithms require a specific size, so there is no need to provide a size.

Click Apply/Save.
The convertCertForSecurityStandard scripting task can also be used to convert all certificates to meet a specified standard.

Use the personal certificate panels to create new certificates and replace a certificate that does not meet the requirements...

Click...
Security | SSL certificate and key management | Key stores and certificates

Select a keystore from the collection panel.

Select Personal Certificate.

From the pull-down list on the Create button, select Self-Signed Certificate.

Enter an alias for the certificate. Select a signature algorithm for the certificate that is signed with SHA256, SHA384, or SHA512. Choose a size that is 2048 or greater. Note that Elliptical Curve signature algorithms require a specific size, so there is no need to specify a size.

Click Apply/Save.

Go back to the Personal certificate collection panel and select the certificate that does not meet the standard. Click Replace.

On the Replace panel, select the certificate created that meets the standard from the pull-down list in the box labeled Replace with.

Select Delete old certificate after replacement, and Delete old signer boxes.

Click Apply/Save.
To replace chained certificates, a root certificate must be created that meets the standard. Follow the previous navigation path to the root certificate in the defaultRootStore, then create a chained certificate with that new root certificate.
The createSelfSigneCertificate scripting task can also be used to create self-signed certificate. The replaceCertificate scripting task can also be used to replace the new certificate for the old one.

Use the personal certificate panels to import certificates and to replace the certificate that does not meet the requirements. Some certificate come from external sources such as a Certificate Authority (CA).

Click...
Security | SSL certificate and key management | Key stores and certificates

Select a keystore from the collection panel.

Select Personal Certificate.

Select Import Certificate.

Enter the information needed to access the certificate in an existing keystore file.

Click Apply/Save.

Go back to the Personal certificate collection panel and select the certificate that does not meet the standard. Click the Replace button.

On the Replace panel, select the certificate created that meets the standard from the pull-down list in the box labeled...
Replace with

Select boxes...

Delete old certificate after replacement
Delete old signer boxes

Click Apply/Save.
The importCertificate scripting task can also be used to import a certificate. The replaceCertificate scripting task can also be used to replace the new certificate for the old one.

To enable strict SP800-131, click...
Security | SSL certificate and key management | Manage FIPS

Click the Enable SP800-131.

Click the Strict.

Click Apply/Save.

Restart the servers and manually sync the nodes for the changes to take effect.
To manually sync the nodes we might need to modify ssl.client.props for each node to match the protocol of the dmgr. Edit ssl.client.props for each node, and change the com.ibm.ssl.protocol property to match the protocol of the dmgr.

Configure the client ssl.client.props file to match the Security standard we are running in: srict mode or transition mode.
Edit ssl.client.props as follows:

Modify the com.ibm.security.useFIPS property to be set to true.

Add the com.ibm.websphere.security.FIPSLevel property just below the useFips property. Set the property to SP800-131 if strict mode is enabled and transition if transition mode is enabled.

Change the com.ibm.ssl.protocol property to TLSv1.2 if strict mode is enabled. If transition mode is enabled, ensure that the property matches the server protocol setting.
Restart the servers and manually synchronize the nodes.
Your changes do not take affect until after the nodes are synchronized.
If we are running in a cluster environment:

Make sure the console is shutdown.

Make sure there are no JVMs running on the server:

Stop all of the servers.
Stop the node agent.
Stop the deployment manager.

Clear all contents in the temp folders.
<profile_root>/wstemp/
<profile_root>/temp/
<profile_root>/config/temp/
<profile_root>/logs/dmgr/
<profile_root>/servers/nodeagent/configuration/
<profile_root>/servers/<server_name>/configuration/

Initialize the OSGI configuration...
was_profile_root/profile/bin/osgiCfgInit.bat

...where Profile is the dmgr01/bin profile

Clear the OSGI class cache...
was_profile_root/profile_name/bin/clearClassCache.bat

...where profile_name is the dmgr01/bin profile.

Start the deployment manager.
Manually synchronize the nodes.
Start wsadmin.sh if it is not already running.
From the was_home/profiles/profile_name/bin , issue the following syncNode command.
syncNode
dmgr_host dmgr_port 
where profile_name is the dmgr01/bin profile.
If security is enabled, include the -username and -password parameters when you issue this command:
syncNode dmgr_host dmgr_port -username user_name -password pass_word
Start the node agent.

Start all other servers.
What to do next
The browser used to access the console or an application must use a protocol that is compatible with the server. If the server is running in a transition mode, the browser must be set to use the protocol that matches the server. The SP800-131 standard requires the SSL connection use the TLSv1.2 protocol, so the browser must support TLSv1.2 and use it to access the console.

Related concepts
WAS security standards configurations
Configure WebSphere Application Server for SP800-131 standard strict mode
Configure WebSphere Application Server for the Suite B security standard
Configure Federal Information Processing Standard Java Secure Socket Extension files
FIPSCommands (AdminTask)