ssl-compliance
ssl-compliance = { none | fips | sp800-131-transition | sp800-131-strict | suite-b-128 | suite-b-192 }
Determines which compliance mode is enabled.
Options
- none
- That no special compliance modes are applied to the TLS communication protocol. This setting is equivalent to [ssl] ssl-enable-fips = no, which is a deprecated option.
- fips
- Enables FIPS 140-2 compliance. This setting is equivalent to [ssl] ssl-enable-fips = yes, which is a deprecated option.
- sp800-131-transition
- Enables NIST SP 800-131a support at the transition level. The transition level has fewer restrictions than the strict level.
- sp800-131-strict
- Enables NIST SP 800-131a support at the strict level. This enforcement is required by some federal agencies and enterprises that work with the federal government starting in 2014.
- suite-b-128
- Enables NSA Suite B at the 128-bit support level.
- suite-b-192
- Enables NSA Suite B at the 192-bit support level.
Usage
Required.
This setting is used for secure communication between Security Verify Access processes, secure communication from Security Verify Access to the LDAP registry servers, and secure communication from Security Verify Access to syslog servers.
When an ISAM Java™ component is running in WebSphere Application Server, then WebSphere Application Server must be running with the same compliance standard as Security Verify Access. For details on configuring WebSphere Application Server for various compliance modes, see http://publib.boulder.ibm.com/infocenter/ieduasst/v1r1m0/index.jsp?topic=/com.ibm.iea.was_v8/was/8.0.0.3/Security/WASV8003_SecurityCryptoSignatureAlgorithm/player.html.
To configure IBM Security Verify Access with a specific compliance, set the ssl-compliance value in pd.conf immediately before we configure the ISAM policy server. The ssl-compliance option takes precedence over the deprecated ssl-enable-fips option if both are present.
Default value
none
Example
ssl-compliance = suite-b-128