Updating to NIST SP 800-131A security standards
National Institute of Standards and Technology (NIST) Special Publications 800-131A (SP
800-131A) standard offers guidance to migrate to the use of stronger cryptographic keys and more
robust algorithms. To ensure that you are fully compliant, refer to the NIST SP 800-131A
standard.
About this task
- Digital signatures must use at least SHA-2 hashing algorithm, but SHA-1 hashing algorithm can continue to be used for validation. By default, HCL Commerce Version 9 uses SHA-2.
- Ensure that cryptographic keys adhere to a minimum key strength of 112 bits.
- For runtime environments, enable TLS 1.2 for SSL and disable protocols less than TLS 1.2.
Procedure
Ensure proper support for TLS 1.2 in pre-9.0.0.6 runtime environments. In HCL Commerce Versions 9.0.0.6+, TLS 1.2 is enabled by default.
- If you are running an HCL Commerce version that earlier than Version 9.0.06, configure
your web server to require TLS 1.2 as a minimum. For example, for IBM HTTP Server 9.0.0.5, add the
following directive to your httpd.conf web server configuration file. This
directive disables HTTPS protocols lower than TLS 1.2 for all virtual hosts with the
SSLEnable directive enabled:
You can find the file in the Web Server Docker container (projectname_web_1) at /opt/WebSphere/HTTPServer/conf/httpd.conf.SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11 - If HCL Commerce is integrated with LDAP using SSL, set the SSL protocol to TLS 1.2.
- If outbound email is used over SSL, configure email to use TLS 1.2.
- Ensure that browsers that are interacting with HCL Commerce are using TLS 1.2, for example Internet Explorer 8 or later on Windows 7 or later.
- If you are running an HCL Commerce version that earlier than Version 9.0.06, configure
your web server to require TLS 1.2 as a minimum. For example, for IBM HTTP Server 9.0.0.5, add the
following directive to your httpd.conf web server configuration file. This
directive disables HTTPS protocols lower than TLS 1.2 for all virtual hosts with the
SSLEnable directive enabled:
-
Ensure that web certificates and certificates that are used to integrate HCL Commerce
with other applications (such as Sterling OMS) are upgraded to satisfy the following NIST SP
800-131A specifications:
- All certificates with RSA or DSA keys that are shorter than 2048 bits must be replaced with certificates that are 2048 bits or higher.
- Certificates with elliptic curve keys shorter than 160 bits must be replaced with longer keys. Contact your certificate authority issuer (CA) for new certificates.
- All certificates must be signed by an allowed signature algorithm. For example, SHA-256, SHA-384, or SHA-512. SHA-1 digest algorithms are no longer allowed.
-
Configure WebSphere Application Server for NIST SP 800-131A:
- For a production environment, Enable NIST SP 800-131A strict mode.
- For a staging environment, Enable NIST SP 800-131A transition mode.
- For a developer environment, Enable NIST SP 800-131A transition mode. Because the developer environment is internal, you do not normally need to enable NIST.
Note: In a runtime development or quality assurance environment, you can access the WebSphere Application Server Administration Console by using the hostname that is running the Transaction Server Docker container. For a production environment, you might want to consider creating custom Run Engine commands to configure the settings into a new Docker image. For more information, see Creating your own Run Engine commands. -
Configure Liberty for NIST SP 800-131A:
- For a production environment, Enable NIST SP 800-131A strict mode.
- For a staging environment, Enable NIST SP 800-131A transition mode.
- For a developer environment, Enable NIST SP 800-131A transition mode.