Configuring compliance for NSA Suite B Cryptography in DWA
Before you begin
About this task
To configure DWA to comply with Suite B, you modify the Apache Tomcat server configuration values to reject requests with certificates that do not meet the minimum required encryption strengths.
You must use a security provider that complies with FIPS 140-2 and configure its system properties to run in Suite B mode. That configuration ensures that you are using the proper protocol and cipher suites. Suite B compliance allows only the TLS 1.2 protocol. You must ensure that the certificates, keys, and secure random number generator, if specified, all comply with Suite B.
- In the startup script file, set the parameters that specify SSL protocol and the Suite B mode.
- Modify the Apache Tomcat server configuration to accept only TLS 1.2 protocol and supported cipher suites.
- Ensure that cryptographic keys adhere to the minimum required key strength.
- Ensure that digital signatures adhere to the minimum required strength.
com.ibm.jsse2.suiteB=128|192|false
That system property has these
parameters: - 128 specifies the 128-bit minimum level of security.
- 192 specifies the 192-bit minimum level of security.
- false specifies that the system is not compliant with Suite B. This value is the default.
Procedure
What to do next
Update the client browsers to support TLS 1.2.
Ensure that the client and server certificates are signed properly. Check the keys in keystores.