You can configure Rational® DOORS® Web Access to communicate over secure sockets in compliance with the National Security Agency (NSA) Suite B cryptography guideline. The Suite B guideline strengthens the existing FIPS-2 and SP 800-131A compliance policies.
About this task
To configure Rational DOORS Web Access to comply with Suite B, you modify the Apache Tomcat server configuration values to reject requests with certificates that do not meet the minimum required encryption strengths.
You must use a security provider that complies with FIPS 140-2 and configure its system properties to run in Suite B mode. That configuration ensures that you are using the proper protocol and cipher suites. Suite B compliance allows only the TLS 1.2 protocol. You must ensure that the certificates, keys, and secure random number generator, if specified, are all compliant with Suite B.
Important: If you specify TLS 1.2 protocol, refer to vendor documentation to determine whether your browser supports that version.
To configure Rational DOORS Web Access to comply with Suite B:
- Set the system property in the startup script file that specifies the Suite B mode.
- Modify the Apache Tomcat server configuration to accept only TLS 1.2 protocol and supported cipher suites.
- Ensure that cryptographic keys adhere to the minimum required key strength.
- Ensure that digital signatures adhere to the minimum required strength.
A system that is configured for Suite B with TLS and a minimum level of security of 128 bits must use TLS 1.2 and either ECDSA-256 or ECDSA-384 for client or server authentication. To support the Suite B profile, the following system property is provided:
com.ibm.jsse2.suiteB=128|192|false
This system property has these parameters:
- 128 specifies the 128-bit minimum level of security.
- 192 specifies the 192-bit minimum level of security.
- false specifies that the system is not compliant with Suite B. This value is the default.
When you set the
com.ibm.jsse2.suiteB system property, IBMJSSE2 ensures adherence to the specified security level. IBMJSSE2 validates that the protocol, keys, and certificates are compliant with the requested profile.
What to do next
Update the client browsers to support TLS 1.2.
Ensure that the client and server certificates are signed properly. Check the keys in keystores.