You can configure Rational DOORS Web Access to communicate
over secure sockets in compliance with the National Security Agency
(NSA) Suite B cryptography guideline. The Suite B guideline strengthens
the existing FIPS-2 and SP800-131a compliance policies.
About this task
To configure Rational DOORS Web Access to comply with
Suite B, you modify the Apache Tomcat server configuration values
to reject requests with certificates that do not meet the minimum
required encryption strengths.
You must use a security provider
that complies with FIPS 140-2 and configure its system properties
to run in Suite B mode. That configuration ensures that you are using
the proper protocol and cipher suites. Suite B compliance allows only
the TLS version 1.2 protocol. You must ensure that the certificates,
keys, and secure random number generator, if specified, are all compliant
with Suite B.
Important: If you specify TLS version
1.2, refer to vendor documentation to determine whether your browser
supports that version.
To configure Rational DOORS Web Access
to comply with Suite B:
- Set the system property in the startup script file that specifies
the Suite B mode.
- Modify the Apache Tomcat server configuration to accept only TLS
version 1.2 protocol and supported cipher suites.
- Ensure that cryptographic keys adhere to the minimum required
key strength.
- Ensure that digital signatures adhere to the minimum required
strength.
A system that is configured for Suite B with TLS and
a minimum level of security of 128 bits must use TLS version 1.2 and
either ECDSA-256 or ECDSA-384 for client or server authentication.
To support the Suite B profile, the following system property is provided:
com.ibm.jsse2.suiteB=128|192|false
This system
property has these parameters:
- 128 specifies the 128-bit minimum level of security.
- 192 specifies the 192-bit minimum level of security.
- false specifies that the system is not compliant
with Suite B. This value is the default.
When you set the
com.ibm.jsse2.suiteB system
property, IBMJSSE2 ensures adherence to the specified security level.
IBMJSSE2 validates that the protocol, keys, and certificates are compliant
with the requested profile.
What to do next
Update the client browsers to support TLS 1.2.
Ensure
that the client and server certificates are signed properly. Check
the keys in keystores.