The NIST SP 800-131A standard specifies algorithms to use to strengthen security and encryption strengths. In strict mode, all communication must conform to SP 800-131A. For example, if the Rational DOORS client does not use strict mode but the Rational DOORS server does, the server cannot authenticate users by using certificate login. Strict mode requires Transport Layer Security (TLS) 1.2 protocol and SHA2 certificates. To strengthen strict mode, you can require that the full certificate chain, and not only the end certificate, is checked for SHA2 certificates.
This configuration is optional. It might impact performance, and it might require new certificates.
Switch and registry setting | Description |
---|---|
-sp800-131 | When this switch is used alone, it enforces strict compliance. To strengthen this switch, use the additional, optional switch. |
-strictSha2 | This option strengthens strict mode by requiring that the full certificate chain, and not only the end certificate, is checked for SHA2 certificates. For example, a Rational DOORS server that uses a SHA2 certificate that has a SHA1 root can start in secure mode if only SP 800-131A is used. However, if both SP 800-131A and strictSha2 are specified, the server cannot start in secure mode. |
To configure the Rational DOORS client and database server to comply with NIST SP 800-131A: