Configuring the server components for SP800-131 enhanced encryption
You can configure SP800-131 enhanced encryption in the FIPS configuration file to enforce TLS 1.2 encryption for the server components that support FIPS 140-2 mode.
Before you begin
Procedure
Example
SP800_131MODE=TRUE
TLS12_ONLY=TRUE
SHA2_CERTIFICATES_ONLY=TRUE
STRICT_CERTIFICATE_CHECK=TRUE
What to do next
If you set the SHA2_CERTIFICATES_ONLY or STRICT_CERTIFICATE_CHECK parameter, or both, to TRUE, you must use a key size and signing algorithm that is permitted by NIST SP800-131 when you generate or sign certificates with the nc_gskcmd certificate and key management utility.
For example, if you run nc_gskcmd with the -cert -create or -certreq -create command-line options, use the -size option to specify a key size of 2048 and the -sig_alg option to specify the SHA512_WITH_RSA signing algorithm.
If you run nc_gskcmd with the -cert -sign command-line option, use the -sig_alg option to specify the SHA512_WITH_RSA signing algorithm.