Configuring compliance for NIST SP 800-131A in the database server and client

You can configure the Rational® DOORS® database server and client to communicate over secure sockets in compliance with the National Institute of Standards and Technology Special Publications (NIST SP) 800-131A standard.

About this task

The NIST SP 800-131A standard specifies both the algorithms to use to strengthen security and the minimum encryption strengths that are required for them. You can configure the compliance as strict or transitional:

This configuration is optional. It might impact performance, and it might require new certificates.

Table 1. Command-line switches and registry settings
Switch and registry setting Description
-sp800-131 When this switch is used alone, it enforces strict compliance. To strengthen or weaken this switch, use it with one of the other switches, which are optional.
-strictSha2 This option strengthens strict mode by requiring that the full certificate chain, and not only the end certificate, is checked for SHA2 certificates. For example, a Rational DOORS server that uses a SHA2 certificate that has a SHA1 root can start in secure mode if only SP 800-131A is used. However, if both SP 800-131A and strictSha2 are specified, the server cannot start in secure mode. If -allowSha1 is used, this option is ignored.
-allowSha1 This transitional mode option permits connections that are made with SHA1 certificates, in addition to SHA2.
-allowSha1 This transitional mode option permits connections that are made to TLS 1.0 and TLS 1.1 protocols, in addition to TLS 1.2.

Procedure

To configure the Rational DOORS client and database server to comply with NIST SP 800-131A:

  1. Open a command line and then start the database server and enter options from the table by using the doorsd command. For example:
    doorsd -sp800-131 -allowTls10And11 -allowSha1
  2. From the command line, start the client and enter options from the table by using the doors command. For example:
    doors -sp800-131 -allowTls10And11 -allowSha1

Feedback