ssl-compliance

ssl-compliance

Specifies the SSL compliance mode.
ssl-compliance = {fips|none|sp800-131-strict|sp800-131-transition|suite-b-128|suite-b-192}

Description

This stanza entry specifies the SSL compliance mode. The value of this stanza entry is set during the initial policy server configuration. Do not modify this value.
Options

fips
Enforces FIPS 140-2 protocols and algorithms. ISAM servers and applications generate and use SHA1 with 2048-bit RSA certificates. Only TLS versions 1.0, 1.1, and 1.2 are available. SSL versions 2 and 3 are disabled and unavailable. This setting option is equivalent to the previous release setting [ssl] ssl-enable-fips = yes. This value is compatible with previous Tivoli Access Manager releases.
none
Specifies that no special compliance criteria are applied to TLS communication. ISAM servers and applications generate and use SHA1 with 2048-bit RSA certificates. This setting option is equivalent to the previous release setting [ssl] ssl-enable-fips = no. This value is compatible with previous Tivoli Access Manager releases.
sp800-131-strict
Enables strict NIST SP800-131a support. This conformance enforcement is required by some agencies and businesses that start in the year 2014.
ISAM servers and applications generate and use SHA256 with 2048-bit RSA certificates. This value is not compatible with prior releases of Tivoli Access Manager. Older Tivoli Access Manager clients cannot interact with ISAM 7.0 running with this compliance setting. Only TLS version 1.2 is available; all others are disabled.
sp800-131-transition
Enables NIST SP800-131a support at the transition level. This value is valid until the end of the year 2013. This value has fewer restrictions than the strict enforcement. Only TLS versions 1.0, 1.1, and 1.2 are available. SSL versions 2 and 3 are disabled and unavailable.
ISAM servers and applications generate and use SHA256 with 2048-bit RSA certificates. This value is at a higher level than is required by the standard and was chosen as it is a level that is permitted by the strict enforcement that allows easy migration from transition to strict. This value is not compatible with previous Tivoli Access Manager releases. Older Tivoli Access Manager clients cannot interact with ISAM 7.0 running with this compliance setting.
suite-b-128
Enables NSA Suite B at 128-bit support. ISAM servers and applications generate and use SHA256 with 256-bit ECDSA certificates. This value is not compatible with previous Tivoli Access Manager releases. Older Tivoli Access Manager clients cannot interact with Tivoli Access Manager 7.0 running with this compliance setting. Only TLS version 1.2 is available; all others are disabled.
suite-b-192
Enables NSA Suite B at 192-bit support. ISAM servers and applications generate and use SHA384 with 384-bit ECDSA certificates. This value is not compatible with previous Tivoli Access Manager releases. Older Tivoli Access Manager clients cannot interact with ISAM 7.0 running with this compliance setting. Only TLS version 1.2 is available; all others are disabled.

Usage: Optional
Default value None.
Example:
ssl-compliance = fips

Parent topic: [ssl] stanza

fips	Enforces FIPS 140-2 protocols and algorithms. ISAM servers and applications generate and use SHA1 with 2048-bit RSA certificates. Only TLS versions 1.0, 1.1, and 1.2 are available. SSL versions 2 and 3 are disabled and unavailable. This setting option is equivalent to the previous release setting [ssl] ssl-enable-fips = yes. This value is compatible with previous Tivoli Access Manager releases.
none	Specifies that no special compliance criteria are applied to TLS communication. ISAM servers and applications generate and use SHA1 with 2048-bit RSA certificates. This setting option is equivalent to the previous release setting [ssl] ssl-enable-fips = no. This value is compatible with previous Tivoli Access Manager releases.
sp800-131-strict	Enables strict NIST SP800-131a support. This conformance enforcement is required by some agencies and businesses that start in the year 2014. ISAM servers and applications generate and use SHA256 with 2048-bit RSA certificates. This value is not compatible with prior releases of Tivoli Access Manager. Older Tivoli Access Manager clients cannot interact with ISAM 7.0 running with this compliance setting. Only TLS version 1.2 is available; all others are disabled.
sp800-131-transition	Enables NIST SP800-131a support at the transition level. This value is valid until the end of the year 2013. This value has fewer restrictions than the strict enforcement. Only TLS versions 1.0, 1.1, and 1.2 are available. SSL versions 2 and 3 are disabled and unavailable. ISAM servers and applications generate and use SHA256 with 2048-bit RSA certificates. This value is at a higher level than is required by the standard and was chosen as it is a level that is permitted by the strict enforcement that allows easy migration from transition to strict. This value is not compatible with previous Tivoli Access Manager releases. Older Tivoli Access Manager clients cannot interact with ISAM 7.0 running with this compliance setting.
suite-b-128	Enables NSA Suite B at 128-bit support. ISAM servers and applications generate and use SHA256 with 256-bit ECDSA certificates. This value is not compatible with previous Tivoli Access Manager releases. Older Tivoli Access Manager clients cannot interact with Tivoli Access Manager 7.0 running with this compliance setting. Only TLS version 1.2 is available; all others are disabled.
suite-b-192	Enables NSA Suite B at 192-bit support. ISAM servers and applications generate and use SHA384 with 384-bit ECDSA certificates. This value is not compatible with previous Tivoli Access Manager releases. Older Tivoli Access Manager clients cannot interact with ISAM 7.0 running with this compliance setting. Only TLS version 1.2 is available; all others are disabled.