You can configure Rational DOORS Web Access to communicate
over secure sockets in compliance with the National Institute of Standards
and Technology (NIST) Special Publication (SP) 800-131A standard.
That standard specifies the algorithms to use to strengthen security,
and the minimum encryption strengths that are required for the algorithms.
About this task
To configure Rational DOORS Web Access to comply with
SP 800-131A, you modify the Apache Tomcat server configuration values
to reject requests with certificates that do not meet the minimum
required encryption strengths. You must use a security provider that
complies with FIPS 140-2 and configure its system properties to run
in SP 800-131A mode. That configuration ensures that you are using
the proper protocol and cipher suites.
For strict compliance,
key strength and signature algorithms are also verified. Strict compliance
allows only the TLS 1.2 protocol. You must ensure that the certificates,
keys, and secure random number generator, if specified, are all compliant
with SP 800-131A.
Important: If you specify TLS
1.2 protocol, refer to vendor documentation to determine whether
your browser supports that version.
To configure Rational
DOORS Web Access to comply with NIST SP 800-131A:
- Set the system property that specifies the SP 800-131A mode.
- Modify the Apache Tomcat server configuration to accept only specific
protocols and cipher suites.
- Ensure that cryptographic keys adhere to a minimum key strength
of 112 bits.
- Ensure that digital signatures are a minimum of SHA2.
Procedure
- Open the Apache Tomcat startup script file in an editor.
- On Windows systems, the server.start.bat script
file is in the Rational DOORS Web Access installation directory; for
example, C:\Program Files (x86)\IBM\Rational\DOORS Web Access\1.5.0.1.
Near the bottom of the file, after the entry for the Dcom.ibm.jsse2.usefipsprovider,
add the set JAVA_OPTS entry for Dcom.ibm.jsse2.sp800-131.
Then, make sure that the entries are shown as follows:
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.usefipsprovider=true
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.sp800-131=strict
cd %CATALINA_HOME%\bin
call ".\startup.bat"
- On UNIX systems, the server.start.sh script
file is in the Rational DOORS Web Access installation directory. Add
the JAVA_OPTS entry for Dcom.ibm.jsse2.sp800-131 after
the JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true entry.
Then, make sure that the entries are shown as follows, where com.ibm.jsse2.sp800-131 can
be set to either transition or strict:
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.usefipsprovider=true
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.sp800-131=strict
export JAVA_OPTS
For strict compliance, key strength and signature algorithms
are also verified. Strict compliance allows only TLS 1.2 protocol.
You must ensure that the certificates, keys, and secure random number
generator, if specified, are all compliant with SP 800-131A.
Transition
is the transition period defined by SP 800-131A, from today to the
end of 2013. The transition period is a grace period during which
you can upgrade to the new minimum cryptographic requirements.
- Save and close the file.
- Open the Apache Tomcat server.xml file
in an editor. That file is in the Rational DOORS Web Access
installation in the server/conf directory; for
example, C:\Program Files (x86)\IBM\Rational\DOORS Web Access\1.5.0.1\server\conf
- Set the sslProtocol value to the minimum
TLS version, which is based on the value that is determined by the com.ibm.jsse2.sp800-131 system
property value; for example:
sslProtocol="TLSv1.2"
- Set the cipher suites to ciphers that are compliant with
SP 800-131A; for example:
ciphers=”SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256”
Ensure
that Secure Sockets Layer (SSL) is configured to use only an approved
cipher suite for SP 800-131A. For a list of cipher suites, see "IBM
JSSE2 Cipher Suites" in the related information links below.
What to do next
Update client browsers to one which supports the minimum
TLS version. The minimum TLS version is determined by the value that
is specified in the sslProtocol property that is
in the server.xml file.
Ensure that client and server certificates,
including root and intermediate certificates, are at least 112 bits
and are signed properly, as defined in this procedure. Check keys
in keystores and trusted certificates in trust stores.
See Configuring
compliance for NIST SP 800-131A in the database server and client.