About this task
To configure Rational DOORS Web Access to comply with Suite B, you modify the Apache Tomcat server configuration
values to reject requests with certificates that do not meet the minimum required encryption
strengths.
You must use a security provider that complies with FIPS 140-2 and configure its system
properties to run in Suite B mode. That configuration ensures that you are using the proper
protocol and cipher suites. Suite B compliance allows only the TLS 1.2 protocol. You must
ensure that the certificates, keys, and secure random number generator, if specified, all
comply with Suite B.
Important: If you specify TLS 1.2 protocol, see vendor documentation to determine
whether your browser supports that version.
Configuring
Rational DOORS Web Access to comply with Suite B involves these steps:
- In the startup script file, set the parameters that specify SSL protocol and the
Suite B mode.
- Modify the Apache Tomcat server configuration to accept only TLS 1.2 protocol and
supported cipher suites.
- Ensure that cryptographic keys adhere to the minimum required key strength.
- Ensure that digital signatures adhere to the minimum required strength.
A system that is configured for Suite B with TLS and a minimum level of security of 128 bits must
use TLS 1.2 and either ECDSA-256 or ECDSA-384 for client or server authentication. To
support the Suite B profile, the following system property is provided:
com.ibm.jsse2.suiteB=128|192|false
That system property has these
parameters:
- 128 specifies the 128-bit minimum level of security.
- 192 specifies the 192-bit minimum level of security.
- false specifies that the system is not compliant with Suite B. This
value is the default.
When you set the
com.ibm.jsse2.suiteB system property, IBMJSSE2
ensures adherence to the specified security level. IBMJSSE2 validates that the protocol,
keys, and certificates comply with the requested profile.
What to do next
Update the client browsers to support TLS 1.2.
Ensure
that the client and server certificates are signed properly. Check
the keys in keystores.