Update to NIST SP 800-131A security standards

National Institute of Standards and Technology (NIST) Special Publications 800-131A (SP 800-131A) standard offers guidance to migrate to the use of stronger cryptographic keys and more robust algorithms. To ensure that we are fully compliant, refer to the NIST SP 800-131A standard.

Task info

To become NIST SP 800-131A compliant, ensure that the environment adheres to the following standards:

• Digital signatures must use at least SHA-2 hashing algorithm, but SHA-1 hashing algorithm can continue to be used for validation. By default, WebSphere Commerce Version 9 uses SHA-2.

• Ensure that cryptographic keys adhere to a minimum key strength of 112 bits.

• For runtime environments, enable TLS 1.2 for SSL and disable protocols less than TLS 1.2.

Procedure

1. (Linux) Ensure proper support for TLS 1.2 in pre-9.0.0.6 runtime environments. In WebSphere Commerce Versions 9.0.0.6+, TLS 1.2 is enabled by default.

   • If we are running a WebSphere Commerce version that earlier than Version 9.0.06, configure your web server to require TLS 1.2 as a minimum. For example, for IBM HTTP Server 9.0.0.5, add the following directive to your httpd.conf web server configuration file. This directive disables HTTPS protocols lower than TLS 1.2 for all virtual hosts with the SSLEnable directive enabled:

     SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11

     We can find the file in the Web Server Docker container (projectname_web_1) at /opt/WebSphere/HTTPServer/conf/httpd.conf.

   • If WebSphere Commerce is integrated with LDAP using SSL, set the SSL protocol to TLS 1.2.

   • If outbound email is used over SSL, configure email to use TLS 1.2.

   • Ensure that browsers that are interacting with WebSphere Commerce are using TLS 1.2, for example Internet Explorer 8 or later on Windows 7 or later.

2. (Linux) Ensure that web certificates and certificates used to integrate WebSphere Commerce with other applications (such as Sterling OMS) are upgraded to satisfy the following NIST SP 800-131A specifications:

   • All certificates with RSA or DSA keys that are shorter than 2048 bits must be replaced with certificates that are 2048 bits or higher.

   • Certificates with elliptic curve keys shorter than 160 bits must be replaced with longer keys. Contact your certificate authority issuer (CA) for new certificates.

   • All certificates must be signed by an allowed signature algorithm. For example, SHA-256, SHA-384, or SHA-512. SHA-1 digest algorithms are no longer allowed.

3. Configure WebSphere Application Server for NIST SP 800-131A:

   • For a production environment, Enable NIST SP 800-131A strict mode.

   • For a staging environment, Enable NIST SP 800-131A transition mode.

   • For a developer environment, Enable NIST SP 800-131A transition mode. Because the developer environment is internal, you do not normally need to enable NIST.

   Note: In a runtime development or quality assurance environment, we can access the WebSphere Application Server Administration Console using the hostname that is running the Transaction Server Docker container. For a production environment, we can consider creating custom Run Engine commands to configure the settings into a new Docker image. See Creating our own Run Engine commands.

4. Configure Liberty for NIST SP 800-131A:

   • For a production environment, Enable NIST SP 800-131A strict mode.

   • For a staging environment, Enable NIST SP 800-131A transition mode.

   • For a developer environment, Enable NIST SP 800-131A transition mode.