Configuring DWA to comply with security standards
You can configure IBM®
Engineering Requirements Management DOORS® - Web
Access
(DWA) to
comply with standards that are specified by the US Department of Commerce National Institute of
Standards and Technology (NIST) and National Security Agency (NSA) to define security requirements
for encryption.
The standards include Federal Information Processing Standards (FIPS) publication 140-2, NIST Special Publication (SP) 800-131A, and NSA Suite B.
- FIPS 140-2 requires that the Transport Layer Security (TLS) protocol and the cryptographic modules are certified.
- NIST SP 800-131A requires stronger cryptographic algorithms and key lengths that are used in FIPS 140-2 cryptographic modules.
- NSA Suite B requires TLS 1.2 protocol and cipher suites that are configured with a minimum level of security of 128 bits by using ECDSA-256 and ECDSA-384.
DWA
complies with these standards by using these IBM SDK Java™ Technology Edition Version 6 components:
- IBM 32-bit Runtime Environment for Windows Java Technology Edition Version 6
- IBM 32-bit Runtime Environment for Linux on Intel architecture Java Technology Edition Version 6
In addition, to ensure compliance, you must configure the server and client browsers as follows:
Apache Tomcat server:
- Update system properties to specify compliance levels.
- Update the configuration file to specify Secure Sockets Layer (SSL) protocols and cipher suites.
Client browser:
- Configure client browsers to submit requests by using the minimum SSL protocol version.
- SSL keystores: Update SSL certificates to meet the minimum encryption strength requirements.
In addition to the following topics about configuring DWA, see the technote Configuring the DOORS database server and client for compliance with NIST SP 800-131A.