Configure NIST SP800-131A compliance
Special Publication 800-131a (SP 800-131a) is an information security standard of the National Institute of Standards and Technology (NIST). SP 800-131a requires longer key lengths and stronger cryptography than other standards. We can configure WebSEAL to comply with NIST SP800-131A when it is negotiating SSL connections.
Use the nist-compliance, ssl-nist-compliance, and jct-nist-compliance entries to configure NIST SP800-131A compliance. Enabling NIST SP800-131A compliance automatically configures the following settings:
- Enables FIPS mode processing.
- Enables TLS v1.2. TLS v1 and TLS v1.1 are not disabled.
- Enables the appropriate signature algorithms.
- Set the minimum RSA key size to 2048 bytes.
We can individually enable NIST SP800-131A for specific communication channels using the following configuration entries:
- [ssl] stanza
- WebSEAL uses the nist-compliance configuration entry as the global NIST setting for SSL connections with clients. If the ssl-nist-compliance configuration entries are not present in the WebSEAL configuration file, WebSEAL uses the nist-compliance value as the default NIST setting for all client connections.
- [dsess-cluster] stanza
- The ssl-nist-compliance configuration entry controls NIST SP800-131A compliance for SSL connections with the distributed session cache.
- [rtss-cluster:<cluster>] stanza
- The ssl-nist-compliance configuration entry controls NIST SP800-131A compliance for runtime security services SOAP communication.
- [tfim-cluster:<cluster>] stanza
- The ssl-nist-compliance controls NIST SP800-131A compliance for SSL connections with the Federation Runtime.
- [junction] stanza
- The jct-nist-compliance configuration entry controls NIST SP800-131A compliance for SSL connections to junctioned servers.
For information about these configuration entries, see the Reference topics in the IBM Knowledge Center.
Example
For example, the following configuration disables NIST SP800-131A compliance for SSL connections with the distributed session cache, but enables NIST SP800-131A compliance for other client connections.
[dsess-cluster] ssl-nist-compliance = no [ssl] nist-compliance = yes
Parent topic: Web server security configuration
Related concepts
- Cryptographic hardware for encryption and key storage
- Prevention of vulnerability caused by cross-site scripting
- Prevention of Cross-site Request Forgery (CSRF) attacks
- Suppression of WebSEAL and back-end server identity
- Platform for Privacy Preferences (P3P)
Related tasks