Configuring compliance for NIST SP 800-131A in DOORS Web Access throws execption

Question & Answer

Question

What is the cause of error when DOORS Web Access is configured for NIST SP 800-131A?

Caused by: java.lang.IllegalArgumentException: Only TLS1.2 protocol can be enabled in SP800_131 strict mode.

Cause

When SP800-131 strict mode is enabled for DOORS Web Access, only the TLSv1.2 protocol can be used.

The error stack shows that the Tomcat code tries to create an SSLContext with a protocol alias that is not "TLSv1.2":

... at javax.net.ssl.SSLContext.getInstance(SSLContext.java:29) at org.apache.tomcat.util.compat.TLS.<clinit>(TLS.java:35) at org.apache.tomcat.util.net.jsse.JSSEUtil.isTls13Available(JSSEUtil.java:175) ...

The problematic call happens as a means to detect whether TLSv1.3 is available:

TLS.java#L35

The call to org.apache.tomcat.util.compat.TLS.isTls13Available() was removed in April 2019:

Don't warn that SSLv2Hello is unavailable unless explicitly configured

The org.apache.tomcat.util.compat.TLS class was removed completely in January 2020:

Delete some deprecated code planned for removal in Tomcat 10

The version of Tomcat that is shipped with DWA 9.7.2.x is not compatible with IBM Java's SP800_131 strict mode because Tomcat explicitly tries to enable TLSv1.3, albeit only as a detection mechanism.

Answer

Download and upgrade the latest Tomcat version apache-tomcat-9.0.80.tar.gz:

tomcat-9.0.80

1. Go to the Rational DOORS Web Access installation directory.

For example, C:\Program Files\IBM\Rational\DOORS Web Access\9.version

2.Rename the server directory to server.orig.

3.Extract the downloaded Apache Tomcat core compressed file to ./server in the Rational DOORS Web Access installation directory.

4.Delete the contents of the ./server/webapps folder.

5.Copy the following jar files from your ./server.orig/lib directory to ./server/lib.

commons-logging-1.1.x.jar

dwa-catalina.jar

log4j-1.2.x.jar

log4j-2.xml

6.Remove the following jar files from the ./server/lib directory.

tomcat-websocket.jar

websocket-api.jar

7.Copy the contents of /server.orig/festival directory to ./server/festival.

8.Copy the ./server.orig/conf/server.xml file to ./server/conf/server.xml.

9.Copy ./server.orig/localhost.keystore to ./server.

10. Modify the ./server/conf/context.xml file.

Add the "<CookieProcessor sameSiteCookies="none" />" property within context tag, and save the file.

Add the following attributes in the ./server/conf/server.xml file:

address="0.0.0.0" requiredSecret="servicecatalog"

Note: Make sure the new folders and content have the same permission as before for the files copied and created.

Also, copy keystore and truststore and any custom files to appropriate locations.

[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYQCV","label":"IBM Engineering Requirements Management DOORS Web Access"},"ARM Category":[{"code":"a8m50000000CipQAAS","label":"ERM DOORS-\u003ESecurity"}],"ARM Case Number":"TS013593431","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.7.2"}]

Tips

Configuring compliance for NIST SP 800-131A in DOORS Web Access throws execption

Question & Answer

Question

Cause

Answer

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?