Configuring WebSphere Application Server for SP800-131 standard strict mode
You can configure WebSphere® Application Server to use the SP800-131 standard strict mode.
Before you begin
About this task
The National Institute of Standards and Technology (NIST) Special Publications (SP) 800-131 standard strengthens algorithms and increases the key lengths to improve security. The standard also provides for a transition period to move to the new standard. The transition period enables a user to run in a mixed environment of settings not supported under the standard along with those that are supported. The NIST SP800-131 standard requires that users be configured for strict enforcement of the standard by a specific timeframe. See The National Institute of Standards and Technology web site for more details.
WebSphere Application Server can be configured to run
SP800-131 in a transition
mode or a strict
mode. For instructions
on how to configure transition mode, read the topic on transitioning WebSphere Application Server to
the SP800-131 security standard.
- Secure Sockets Layer (SSL) configuration must use the TLSv1.2 protocol.
- The com.ibm.jsse2.sp800-131 system property must be set to
strict
for the JSSE to run in a strict SP800-131 mode. - Certificates used for SSL communication must have a minimum length of 2048, and for Elliptical Curve (EC) certificates they must have a minimum length of 244.
- Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512.
- SP800-131 approved cipher suites must be used.
Procedure
What to do next
Manually sync the nodes with syncNode, and start the node agents and servers. To use syncNode, you might need to update the ssl.client.props file to communicate with the deployment manager.