You can configure IBM® Engineering Requirements Management DOORS® - Web Access
(DWA) to
communicate over secure sockets in compliance with the National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-131A standard. That standard specifies the algorithms
to use to strengthen security, and the minimum encryption strengths that are required for the
algorithms.
About this task
To configure DWA to
comply with SP 800-131A, you modify the Apache Tomcat server configuration values to reject requests
with certificates that do not meet the minimum required encryption strengths. You must use a
security provider that complies with FIPS 140-2 and configure its system properties to run in SP
800-131A mode. That configuration ensures that you are using the proper protocol and cipher suites.
For strict compliance, key strength and signature algorithms are also verified. Strict compliance
allows only the TLS 1.2 protocol. You must ensure that the certificates, keys, and secure
random number generator, if specified, comply with SP 800-131A.
Important: If you specify TLS 1.2 protocol, see vendor documentation to determine
whether your browser supports that version.
When DWA is
enabled to support SP800-131A in strict mode, all remote services must also be configured to support
SP 800-131A strict mode. If a remote service does not support the minimum requirements for SP
800-131A strict mode, than any request to that service will fail.
Configuring
DWA to
comply with NIST SP 800-131A involves these steps:
Procedure
-
Open the Apache Tomcat startup script file in an editor and add parameters for the SSL
protocol, the SP 800-131A compliance level, and the cipher suites. At the
com.ibm.jsse2.usefipsprovider
entry that you added for FIPS 140-2, add
JAVA_OPTS
entries for these parameters:
Parameter |
Value |
https.protocols |
Set to TLSv1.2. The protocol must be compatible with
the protocols that are enabled on the remote server. |
com.ibm.jsse2.sp800-131 |
Set to strict. |
https.cipherSuites |
Enter a supported cipher suite. This parameter restricts the ciphers that
are used by outgoing requests for remote services. These cipher suites must be
compatible with the cipher suites that are set for the remote server. |
- On Windows systems, the
server.start.bat script file is in the DWA
installation directory; for example,
<DOORSWebAccess_install_dir>\version.
This example includes the required values for the SSL protocol and compliance level parameters, and
an example of supported cipher
suites:
set JAVA_OPTS=%JAVA_OPTS% -Dhttps.protocols=TLSv1.2
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.usefipsprovider=true
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.sp800-131=strict
set JAVA_OPTS=%JAVA_OPTS% -Dhttps.cipherSuites="SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
cd %CATALINA_HOME%\bin
call ".\startup.bat"
- On Linux® systems, the server.start.sh script file is in the
DWA
installation directory. This example includes the required values for the SSL protocol and
compliance level parameters, and an example of supported cipher
suites:
JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1.2"
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true"
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.sp800-131=strict"
JAVA_OPTS="$JAVA_OPTS -Dhttps.cipherSuites=SSL_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
export JAVA_OPTS
For strict compliance, key strength and signature algorithms are also verified. Strict
compliance allows only TLS 1.2 protocol. You must ensure that the certificates, keys,
and secure random number generator, if specified, all comply with SP 800-131A.
- Save and close the file.
-
Open the Apache Tomcat server.xml file in an editor.
That file is in the DWA
installation in the server/conf directory; for example,
C<DOORSWebAccess_install_dir>\version\server\conf
-
In the HTTPS connector section, set the
sslProtocol
and
sslEnabledProtocols
values to the minimum TLS version, which is based
on the value that is determined by the com.ibm.jsse2.sp800-131
system
property value; for example:
-
Set the cipher suites to further restrict what the server accepts. The value for this
entry must match the value that is used in the
https.cipherSuites
parameter in the server startup script, as described in step 1; for example:
ciphers="SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
Ensure
that Secure Sockets Layer (SSL) is configured to use only an approved cipher suite for SP
800-131A. For a list of cipher suites, see "IBM
JSSE2 Cipher Suites" in
Related
information.
What to do next
Update client browsers to one that supports the minimum TLS version. The minimum TLS
version is determined by the value that is specified in the sslProtocol
property
that is in the server.xml file.
Ensure that client and server
certificates, including root and intermediate certificates, are at least 112 bits and are signed
properly, as defined in this procedure. Check keys in keystores and trusted certificates in trust
stores.
See Configuring compliance for NIST SP 800-131A in the DOORS
database server and client.