You can configure the Rational DOORS database server and
client to communicate over secure sockets in compliance with the National
Institute of Standards and Technology Special Publications (NIST SP)
800-131A standard.
About this task
The NIST SP 800-131A standard specifies both the algorithms
to use to strengthen security and the minimum encryption strengths
that are required for them. You can configure the compliance as strict
or transitional:
- In strict mode, all communication must conform to SP 800-131A.
For example, if the Rational DOORS client does not use strict mode
but the Rational DOORS server does, the server cannot authenticate
users by using certificate login. Strict mode requires TLS 1.2 protocol
and SHA2 certificates. To strengthen strict mode, you can require
that the full certificate chain, and not only the end certificate,
is checked for SHA2 certificates.
- Transitional mode removes a few SP 800-131A requirements and allows
communication with components and applications that use SHA1 certificates
and the TLS 1, TLS 1.1, or TLS 1.2 protocol.
This configuration is optional. It might impact performance,
and it might require new certificates.
Table 1. Command-line
switches and registry settingsSwitch and registry setting |
Description |
-sp800-131 |
When this switch is used alone, it enforces
strict compliance. To strengthen or weaken this switch, use it with
one of the other switches, which are optional. |
-strictSha2 |
This option strengthens strict mode by requiring
that the full certificate chain, and not only the end certificate,
is checked for SHA2 certificates. For example, a Rational DOORS server
that uses a SHA2 certificate that has a SHA1 root can start in secure
mode if only SP 800-131A is used. However, if both SP 800-131A and
strictSha2 are specified, the server cannot start in secure mode.
If -allowSha1 is used, this option is ignored. |
-allowSha1 |
This transitional mode option permits connections
that are made with SHA1 certificates, in addition to SHA2. |
-allowSha1 |
This transitional mode option permits connections
that are made to TLS 1.0 and TLS 1.1 protocols, in addition to TLS
1.2. |
Procedure
To configure the Rational DOORS client and database server
to comply with NIST SP 800-131A:
- Open a command line and then start the database server
and enter options from the table by using the doorsd command. For
example:
doorsd -sp800-131 -allowTls10And11 -allowSha1
- From the command line, start the client and enter options
from the table by using the doors command. For example:
doors -sp800-131 -allowTls10And11 -allowSha1