WAS v8.5 > Develop applications > Develop security > Develop extensions to the WebSphere security infrastructure

Configure WAS for the Suite B security standard

We can configure WebSphere Application Server to use the new Suite B security standard.

Read the "WAS security standards configurations" topic for more background information regarding security standards.

The National Security Agency (NSA) created a cryptographic interoperability strategy called Suite B. It places specific requirements on the National Institute of Standards and Technology (NIST) SP800-131 standard.

Suite B requirements:

WAS must be compliant with the following Suite B requirements:

• SSL configuration must use the TLSv1.2 protocol.
• The com.ibm.jsse.suiteb system property must be set to 128 or 192.
• Certificates running in 128-bit mode must be created with the SHA256withECDSA signature algorithm. Certificates running in 192-bit mode must be created with the SHA384withECDSA signature algorithm.

  To run in 192-bit mode, the unrestricted policy files must be in place on the JDK.

• Suite B approved cipher suites must be used.

To configure the server for the Suite B standard:

1. Click Security > SSL certificate and key management > Manage FIPS To run in a Suite B mode, all of the certificates used for SSL on the server must be converted to certificates that comply with Suite B requirements.
2. To convert certificates, under Related Items click Convert Certificates.

3. Select the radio button labeled 128-bit or 192-bit in the Algorithm box.

   Elliptical Curve signature algorithms require specific sizes, so you must provide a size.

4. Click Apply/Save. If no certificates show up in the box labeled Certificates that can not be converted, then we can enable the standard.

   If certificates show up listed in the box labeled Certificates that can not be converted, the server is unable to convert the certificates for you. Replace these certificates with ones that meet Suite B requirements. Reasons why the server cannot convert the certificates might include:

   • The certificate was created by a Certificate Authority (CA).
   • The certificate is in a read-only keystore.

   After certificates are converted to meet the Suite B specifications, follow the remaining steps to enable the Suite B standard.

5. Click SSL certificate and key management > Manage FIPS.

6. Select the Suite B: Accept 128 bit key for 128-bit mode or the Suite B: Accept 192 bit key for 192-bit mode.

7. Click Apply/Save.

8. Restart the servers and manually sync the nodes for the Suite B standard to take effect.

   When these changes are applied and the server is restarted, the SSL configurations on the server is modified to use the TLSv1.2 protocol, and the com.ibm.jsse.suiteb system property is set to the desired Suite B mode. The SSL configuration uses the appropriate SSL ciphers for the standard.

   There are wsadmin tasks also available that can enable the Suite B standard using scripting. :

   • Check the status of certificates for the security standard using the listCertStatusForSecurityStandard task.
   • Convert certificates for the security standard using the convertCertForSecurityStandard task.

   • Enable the security standard using the enableFips task.
   • To see the security standard setting, use the getFipsInfo task.

9. Once the server is configured for SP800-131 strict mode, the ssl.client.props file must be modified so that administrative clients are running in SP800-131 strict mode. They are unable to make a SSL connection to the server with the change. Edit the ssl.client.props file by doing the following:

   1. Modify com.ibm.security.useFIPS to be set to true.

   2. Add the com.ibm.jsse.suiteb property, and set it to 128 or 192.

   3. Change the com.ibm.ssl.protocol property to TLSv1.2.

The Suite B standard requires the SSL connection use the TLSv1.2 protocol. For a browser to access the dmgr console or an application, the browser must support and first be configured to use the TLSv1.2 protocol.

When enabling the security standards on a Network Deployed, the node and deployment manager can be in an incompatible protocol state. Since configuring the security standard requires the server to be restarted, IBM recommends that all node agents and servers be stopped, leaving the deployment manager running. Once the configuration changes are made through the console, restart the deployment manager.

Manually sync the nodes with syncNode, and start the node agents and servers. To use syncNode, we might need to update the ssl.client.props file to communicate with the deployment manager.

Related concepts:

WAS security standards configurations

Related

Configure WAS for SP800-131 standard strict mode
Transitioning WAS to the SP800-131 security standard
Configure Federal Information Processing Standard Java Secure Socket Extension files

Reference:

FIPSCommands command group for AdminTask

+

Search Tips   |   Advanced Search