Enabling NIST compliance on AppScan Enterprise to work with SiteProtector
SP800-131a is a requirement that is originated by the National Institute of Standards and Technology (NIST) which requires longer key lengths and stronger cryptography. The specification also provides a transition configuration to enable users to move to a strict enforcement of SP800-131a. The transition configuration also enables users to run with a mixture of settings from both FIPS140-2 and SP800-131a. SP800-131a can be run in two modes: transition and strict. Out of the box, AppScan® Enterprise is compliant with NIST transition mode.
Procedure
-
Go to <install-dir>HCL\AppScan Enterprise\localsetttings.xml, and make
the appropriate edits:
- For NIST transition (called 'NIST compatible' in SiteProtector™), keep the default setting <param name='sslCipherMode'
value='FIPS' xmins='http://www.iss.net/cml/CorePolicyCommon' ordinal='8'
/>.Note: AppScan Enterprise works with SiteProtector 2.9, SiteProtector 3.0 in compatible mode, and SiteProtector 3.0 in strict mode.
- For NIST strict, replace <param name='sslCipherMode' value='FIPS'
xmins='http://www.iss.net/cml/CorePolicyCommon' ordinal='8' /> with
<param name='sslCipherMode' value='SP800131'
xmins='http://www.iss.net/cml/CorePolicyCommon' ordinal='8' />.Note: AppScan Enterprise works with SiteProtector 3.0 in strict mode, but not with SiteProtector 3.0 in compatible mode nor SiteProtector 2.9.
- For NIST transition (called 'NIST compatible' in SiteProtector™), keep the default setting <param name='sslCipherMode'
value='FIPS' xmins='http://www.iss.net/cml/CorePolicyCommon' ordinal='8'
/>.
- Save and close the file.