Support for compliance with NIST SP800-131a

Advanced Access Control supports the requirements defined by the National Institute of Standards and Technology (NIST) Special Publications 800-131a.

SP 800-131a strengthens security by defining stronger cryptographic keys and more robust algorithms. The standard defines a period to allow customers time to make the transition to the new requirements. The transition period closes at the end of 2013. See the NIST publication Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths for the new standards defined by Special Publication 800-131, and details about allowed protocols, cipher suites, and key strength.

We can run the appliance that provides Advanced Access Control in either of the two modes that are supported by NIST SP800-131a:

• Transition mode
• Strict mode

When configured in transition mode, server components support the transition mode Transport Layer Security (TLS) protocols, which include TLS 1.0 and TLS 1.1. Client components, such as the HTTPS client that performs one-time password (OTP) delivery and the syslog auditing client, support TLS 1.2 only.

When configured in strict mode, both the server components and the client components of Advanced Access Control support TLS 1.2 only.

To deploy in transition mode, we need to select only the mode during initial configuration of the appliance. To run in strict mode, we must also set an extra configuration option.

If your deployment uses client certificate authentication, and to use strict mode, complete more configuration steps for the point of contact server. The point of contact server can be either IBM Security Verify Access WebSEAL or IBM Security Web Gateway appliance 7.0.

Transition mode

When we install the appliance, select the option to enable FIPS 140-2 mode. This selection turns on compliance for NIST SP800-131a.

When enabled, NIST SP800-131a compliance is run in transition mode. We do not have to complete any further configuration steps in order to run in transition mode.

• Enable FIPS 140-2 mode only if we must comply with the NIST SP800-131a requirements. There is no advantage to enabling FIPS 140-2 mode if your installation does not require this compliance.Important: The setting of the FIPS 140-2 Mode option is permanent and cannot be turned off after it is enabled. To disable the option, we must reinstall the appliance.

• If we enable FIPS 140-2 mode, the appliance is automatically restarted before it continues with the rest of the setup.
• FIPS Limitation: For Advanced Access Control, the FIPS 140-2 mode option in the appliance setup wizard does not turn on compliance for FIPS 140-2. It turns on compliance for NIST SP800-131a only.

Strict mode

Overview of configuration tasks:

1. Enable FIPS 140-2 mode during appliance configuration.
2. Set a tuning parameter to enable strict mode.
3. (Optional) If your deployment uses client certificate authentication, configure TLS v1.2.

Instructions:

1. Install the appliance and choose to enable FIPS 140-2 mode. This selection turns on compliance for NIST SP800-131a.
2. Use the appliance local management interface (LMI) to modify the advanced tuning parameter nist.sp800-131a.strict. This parameter is set by default to false. Complete the following steps:
   1. Verify that your browser supports TLS 1.2.CAUTION: Strict mode requires the use of TLS 1.2. Some browsers support TLS 1.2 but have the support disabled by default. If we set the value of the nist.sp800-131a.strict parameter to true, and your browser is not configured to support TLS 1.2, you lose access to the appliance LMI.

   2. On the LMI, select System > System Settings > Advanced Tuning Parameters.

   3. Select nist.sp800-131a.strict. Select Edit. Change the value to true.

3. Determine Whether your deployment uses basic authentication or client certificate authentication, for communication between Advanced Access Control and the point of contact server.

   • If we use basic authentication, the configuration is complete.

   • If we use client certificate authentication, continue with the next section.

Client certificate configuration for strict mode

If we use client certificate authentication on the point of contact server, configure it to be in compliance with NIST SP800-131a strict mode.

To comply with strict mode, configure the point of contact server to use TLS v.1.2 for client certificate authentication.

You must create a self-signed certificate, and configure the point of contact server to use TLS v1.2 with the runtime security services external authorization service (EAS). Complete each of the following tasks:

1. Create a self-signed certificate.
   • Review the Before you begin section of Configure runtime security services for client certificate authentication. Select one of the following actions, as fits your deployment:

     • If your deployment uses web reverse proxy, follow the instructions in Configure runtime security services for client certificate authentication. In Step 1 “Create a client certificate for user easusercert", specify:

        Signature Algorithm: SHA2withRSA 
       

   • If your deployment uses WebSEAL:

     Manually create a self-signed certificate. To specify a NIST-compliant algorithm, use an external utility such as gsk7ikm. Open the pd.srv certificate database, and create a self-signed certificate with these credentials:

      Certificate Label: easusercert
      Certificate Distinguished Name: cn=easuser
      Key Size: 2048
      Expiration Time (in days): 365
      Signature Algorithm: SHA2withRSA 
     

     • The user cn=easuser is the built-in user, but any user with sufficient permissions (as created by the Advanced Access Control administrator) can be used instead.
     • It is not mandatory that WebSEAL has FIPS 140-2 mode configured in order to communicate with the Advanced Access Control server. However, to comply with NIST SP800-131a strict mode, client certificate authentication between WebSEAL and the server must be over TLS v1.2.
     • See the WebSEAL information in the IBM Knowledge Center for complete information on configuring client certificate authentication.

2. Configure the point of contact server to use TLS v1.2 with the Runtime Security Services External Authorization Service (EAS)

   The point of contact server uses the EAS to process authorization requests. The default EAS setting for communication specifies Secure Sockets Layer (SSL) v2, which is not supported by Advanced Access Control when it operates in NIST SP800-131a strict mode. If we do not adjust the configuration setting for the EAS, the authorization request (and the regular ping call) does not succeed.

   Select the action that fits your deployment:

   • If you deploy your point of contact server on the same computer as the appliance:

     1. In the Advanced Access Control local management interface, select Reverse Proxy Settings > your_instance_name > Manage > Configuration > Edit to open the configuration file. Add the following parameter to the existing stanza:

        [rtss-cluster:cluster1]
        gsk-attr-name = enum:438:1 

3. Click Save. Deploy the changes. Restart the instance.

If you deploy your point of contact server on a different computer from the appliance:

1. Open the WebSEAL instance configuration file for editing. For example: /opt/pdweb/etc/webseald-appliance-default.conf.
2. Add the following parameter to the existing stanza:

   [rtss-cluster:cluster1]
   gsk-attr-name = enum:438:1 

.

Parent topic: Advanced Access Control configuration