Updating to NIST SP 800-131A security standards
National Institute of Standards and Technology (NIST) Special Publications
800-131A (SP 800-131A) standard offers guidance to migrate to the use of stronger cryptographic keys
and more robust algorithms. To ensure that you are fully compliant, refer to the NIST SP 800-131A
standard.
Before you begin
- For runtime environments, ensure that your web server supports TLS 1.2, for example IBM HTTP Server 8.5.5 (plus interim fix PI05309).
About this task
- Digital signatures must use at least SHA-2 hashing algorithm, but SHA-1 hashing algorithm can continue to be used for validation. By default, WebSphere Commerce Version 8 uses SHA-2.
- Ensure that cryptographic keys adhere to a minimum key strength of 112 bits.
- In this task, you upgrading the encrypted data in the database and in configuration files to use
AES-128 bit encryption, instead of Triple DES. Note: After you migrate to an AES merchant key, the encryption algorithm for session data is also enhanced. The site can experience temporary session decryption errors for sessions that are generated before you migrate to an AES merchant key.
- For runtime environments, enable TLS 1.2 for SSL and disable protocols less than TLS 1.2.
Procedure
-
Migrate encrypted data in the database to use AES 128-bit encryption. To complete this
migration, you must run MigrateEncryptedInfo by using the Key Locator Framework
(-k) to specify the new AES merchant key. Add the
algorithm="AES"
attribute to the new key definition in the custom key configuration file. Use 32 hex characters (128 bits) for the new key and optional key encryption key values.Note: Switching to an AES merchant key can result in temporary session cookie decryption errors for any existing sessions that were created before you upgrade to the AES merchant key. -
Update the Business Audit Key that is defined in
BusinessAuditDataCapture.xml so it can be used with AES. The default audit key
is an encrypted 16 character audit key. To encrypt with AES, the key must be replaced by the
encrypted value of a new default 32 character audit key.
-
Update the instance configuration file, for each instance, to include the
AES_DB="true"
parameter. -
Update product.xml to include the
AES_DB="true"
parameter on production instances. - Restart the server.
-
Run the MigrateEncryptedFiles utility.
For the utility to complete successfully, ensure that the WebSphere Application Server is continuously up and running during the process.For more information about the MigrateEncryptedFiles utility, see MigrateEncryptedFiles utility.
- Restart the WebSphere Application Server.
-
Enable AES on the Search server:
-
Edit the file
Search_eardir/xml/config/com.ibm.commerce.foundation/wc-component.xml.
Set the AES flags in the file to true.
<_config:property name="CommerceServerSetting/Security/AESDBEnabled" value="true"/> <_config:property name="CommerceServerSetting/Security/AESFilesEnabled" value="true"/>
- Restart the search server.
-
Ensure proper support for TLS 1.2 on your runtime environments.
- Configure your web server to require TLS 1.2 as a minimum. For example, for
IBM HTTP Server 8.5.5, add the following directive to your httpd.conf web
server configuration file to disable HTTPS protocols lower than TLS 1.2 for all virtual hosts with
the SSLEnable directive enabled:
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
- If WebSphere Commerce is integrated with LDAP using SSL, set the SSL protocol to TLS 1.2.
- If outbound email is used over SSL, configure email to use TLS 1.2.
- Ensure that browsers that are interacting with WebSphere Commerce are using TLS 1.2, for example Internet Explorer 8 or later on Windows 7 or later.
- Configure your web server to require TLS 1.2 as a minimum. For example, for
IBM HTTP Server 8.5.5, add the following directive to your httpd.conf web
server configuration file to disable HTTPS protocols lower than TLS 1.2 for all virtual hosts with
the SSLEnable directive enabled:
-
Ensure that web certificates and certificates that are used to integrate WebSphere Commerce
with other applications (such as Sterling OMS) are upgraded to satisfy the following NIST SP
800-131A specifications:
- All certificates with RSA or DSA keys that are shorter than 2048 bits must be replaced with certificates that are 2048 bits or higher.
- Certificates with elliptic curve keys shorter than 160 bits must be replaced with longer keys. Contact your certificate authority issuer (CA) for new certificates.
- All certificates must be signed by an allowed signature algorithm. For example, SHA-256, SHA-384, or SHA-512. SHA-1 digest algorithms are no longer allowed.
-
Configure WebSphere Application Server for NIST SP 800-131A:
- For a production environment, Enable NIST SP 800-131A strict mode.
- For a staging environment, Enable NIST SP 800-131A transition mode.
- Restart your WebSphere Commerce server.