Updating to NIST SP 800-131A security standards

National Institute of Standards and Technology (NIST) Special Publications 800-131A (SP 800-131A) standard offers guidance to migrate to the use of stronger cryptographic keys and more robust algorithms. To comply with this standard, there are some recommended steps to follow for WebSphere Commerce. To ensure that you are fully compliant, refer to the NIST SP 800-131A standard.

Before you begin

Install WebSphere Commerce Version 7 Fix Pack 8.
Apply APAR JR50327. Obtain this APAR from IBM fix central.
Ensure that you are running on WebSphere Application Server 7.0.0.29 or later. To upgrade WebSphere Application Server, download the fix at IBM Fix Central.
If you are using any of the following features, you must upgrade to Feature Pack 7.
- Gift Center
- WebSphere Commerce search
- Data Load utility
- IBM Digital Analytics
- Bazaarvoice
For runtime environments, ensure that your web server supports TLS 1.2, for example IBM HTTP Server 8.5.5 (plus interim fix PI05309).
For more information about the NIST NIST SP 800-131A standard, see Transitioning the Use of Cryptographic Algorithms and Key Lengths.

About this task

To become NIST SP 800-131A compliant, ensure that your environment adheres to the following standards:

Your environment supports Java JDK 6.0 SR10. (WebSphere Application Server 7.0.0.23 is at that level).
Digital signatures must use at least SHA-2 hashing algorithm but SHA-1 hashing algorithm can continue to be used for validation.
- In this task, you set the wcs_password utility to use SHA-256 hashing algorithm to hash new data.
Ensure that cryptographic keys adhere to a minimum key strength of 112 bits.
- In this task, you migrate the encrypted data in the database and in configuration files to use AES-128 bit encryption, instead of Triple DES.
  Note: After migrating to an AES merchant key, the encryption algorithm for session data is also enhanced. The site can experience temporary session decryption errors for sessions generated before migrating to an AES merchant key.
For runtime environments, enable TLS 1.2 for SSL and disable protocols less than TLS 1.2.

Note: The following components of WebSphere Commerce are deprecated and are not migrated to be NIST SP 800-131A compliant:

WebSphere Commerce Payments, including the ChangePassword utility
WebSphere sMash based Social Commerce

Procedure

Configure WebSphere Application Server to use the SP800-131 standard transition mode.
The path of the ssl.client.props files to change:
- AppServer/profiles/demo/properties
- AppServer/profiles/demo_solr/properties
Enable SHA-256 algorithm for hashing.
1. Open the instance.xml file:
  For example:
  - WC_installdir\instances\instance_name\xml\instance_name.xml
  - workspace_dir\WC\xml\config\wc-server.xml
2. Locate the <Security> element.
  For example:
```
<Security AdminPwd="xxx" AdminUser="yyy" AuthMode="" Realm="" RunAsID="" RunAsPwd="" enabled="false" 
enabledGlobal="true" passwordpolicy="true"/>
```
3. Add the multiHashAlgorithmEnabled="true" attribute to the <Security> element, and create a subelement <HashAlgorithm name="SHA-256" priority="1"/>
  For example:
```
<Security AdminPwd="xxx" AdminUser="yyy" AuthMode="" Realm="" RunAsID="" RunAsPwd="" 
enabled="false" enabledGlobal="true" passwordpolicy="true" multiHashAlgorithmEnabled="true">
<HashAlgorithm name="SHA-256" priority="1"/>
</Security>
```
4. Save and close the file.
Update the wcs_password utility to use SHA-256 Hashing Algorithm.
1. Open the wcs_password utility file:
  - WC_installdir\bin\wcs_password.sh
  - WC_installdir\bin\wcs_password.bat
  - WCDE_installdir\bin\wcs_password.bat
2. Search for the code: -Dcom.ibm.commerce.active.hash.algorithm=SHA
3. Replace the code with: -Dcom.ibm.commerce.active.hash.algorithm=SHA-256
4. Save and close the file.
Migrate encrypted data in the database to use AES 128-bit encryption. To complete this migration, you must run MigrateEncryptedInfo using the Key Locator Framework (-k) to specify the new AES merchant key. Add the algorithm="AES" attribute to the new key definition in the custom key configuration file. Use 32 hex characters (128 bits) for the new key and optional key encryption key values.

Note: Switching to an AES merchant key can result in temporary session cookie decryption errors for any existing sessions that were created before migrating to the AES merchant key.
1. Specify that the new key in the keys configuration file is using AES algorithm by adding algorithm="AES" attribute to the new key definition in the custom keys configuration file.
  For example, create or update the WC_eardir/xml/config/CustomKeys.xml file to have a new key definition like the following:
```
<key name="MerchantKey" providerName="WC" status="new" 
className="com.ibm.commerce.security.keys.WCExternalFileMerchantKeyImpl" version="2" algorithm="AES">
<config name="keyFile" value="merchantKey.xml"/>
<config name="keyEncryptionKeyFile" value="KeyEncryptionKey.xml"/>
<config name="newKeyFile1" value="newMerchantKey1.xml"/>
<config name="newKeyFile2" value="newMerchantKey2.xml"/>
</key>
```
  For more information about the Key Locator Framework, see Key Locator Framework (KLF).
2. Ensure that the new keys files combine to form 32 hex characters.
3. Ensure that the optional key encryption key, if specified, is also 32 hex characters.
4. Open a command prompt and navigate to the following directory:
  - WC_installdir\bin
  - WCDE_installdir\bin
5. Run the MigrateEncryptedInfo utility for each instance, with the Key Locator Framework (-k) option:
  - For runtime environments, you can run the MigrateEncryptedInfo utility when the server is offline or online. Follow the steps in Updating encrypted data using MigrateEncryptedInfo (server offline) or Updating encrypted data using MigrateEncryptedInfo (server online)
  - For a development environment, you must run the MigrateEncryptedInfo utility when the server is offline. Follow the steps in Updating encrypted data using MigrateEncryptedInfo (server offline).
Update the Business Audit Key that is defined in BusinessAuditDataCapture.xml so it can be used with AES. The default audit key is an encrypted 16 character audit key. To encrypt with AES, the key must be replaced by the encrypted value of a new default 32 character audit key.
1. Navigate to the following directory:
  - WC_installdir\wc.ear\xml\config
  - workspace_dir\WC\xml\config
2. Open BusinessAuditDataCapture.xml for editing.
3. Optional: If you modified the default audit key to a custom value, rename the original AuditKey to be "CustomAuditKey".
  The CustomAuditKey node must be defined to continue validating existing records/signatures in the database.
  1. Search for the default audit key value: <AuditKey value="rZ15ws0ely9yHk3zCs3sTMv/ho8fY17s" />
  2. If the value matches your search, then you do not have to rename to CustomAuditKey. Continue to 5.d.
  3. If the value does not match your search, copy the <AuditKey> node.
  4. Paste the node into the file.
  5. For the node that you pasted, replace the word "AuditKey" with "CustomAuditKey".
4. Update the <AuditKey> node with the following 32 character audit key:
```
<AuditKey value="Jmz6ON1Y+573xkNVuOPbfRhZLEJTcW0kqgbCVJv4Jv7UlAGSVFHw6g=="/>
```
5. Save and close the file.
6. Deploy this file for each production instance. For steps on how to deploy a single file, see Deploying J2EE assets for a single file.
Update the instance configuration file, for each instance, to include the AES_DB="true" parameter.
1. In a text editor, open the WebSphere Commerce configuration file for the instance:
  - WC_installdir\instances\instanceName\xml\instance_name.xml
  - WCDE_installdir\workspace\WC\xml\config\wc-server.xml
2. In the configuration file, search for the parameter AES_DB. If the parameter does not exist, add the parameter.
  For example:
```
<config>
   <InstanceProperties name="Instance Properties">
		...	
  <Security AES_DB="true"
            AdminPwd="0gYsW5onfbvbp7Q3MYrc917pU0EFWcJPgwsgCjE/Btg="
            AdminUser="configadmin" AuthMode="" Realm="" RunAsID=""
            RunAsPwd="" enabled="false" enabledGlobal="true" passwordpolicy="true"/>
		...
    </InstanceProperties>
    ...
</config>
```
  If the parameter exists, ensure that the value is set to "true".
3. Save and close the file.
4. If your site uses a clustered environment, you must manually sync the nodes using the deployment manager for the changes to take effect.
5. Propagate the changes that are made to the WebSphere Commerce configuration file. For steps on how to propagate changes, see Propagating changes to the WebSphere Commerce configuration file.
Update product.xml to include the AES_DB="true" parameter.
1. Open WC_installdir\xml\product.xml
2. Search for the parameter, AES_DB. If the parameter does not exist, add the parameter.
  For example:
```
<websphere>
	<commercesuite>
		...
		<security>
			<AES_DB>true</AES_DB>
		</security>
	</commercesuite>
</websphere>
```
  If the parameter exists, ensure that the value is set to "true".
Restart the server.
Run the MigrateEncryptedFiles utility.
For the utility to complete successfully, ensure that the WebSphere Application Server is continuously up and running during the process.
1. In a command prompt, navigate to the following directory:
  - WC_installdir/bin
  - WC_installdir\bin
  - WCDE_installdir\bin
2. Execute the following command:
  - MigrateEncryptedFiles.sh
  - MigrateEncryptedFiles.bat
  - MigrateEncryptedFiles.bat
  To verify that the utility ran successfully, in each of the wc-server.xml or product.xml files that you updated in step 6 and step 7, ensure that the AES_FILES parameter is set to "true".
For more information about the MigrateEncryptedFiles utility, see MigrateEncryptedFiles utility.
Restart the WebSphere Application Server.
Optional: If you are using WebSphere Commerce Search and Solr Application Security is enabled, update the Search administrative user's password that is stored in the namespace bindings in WebSphere Application Server to use AES encryption. See Securing the Websphere Commerce Search Server for instructions.
Ensure proper support for TLS 1.2 on your runtime environments:
- Configure your web server to require TLS 1.2 as a minimum. For example, for IBM HTTP Server 8.5.5, add the following directive to your httpd.conf web server configuration file to disable HTTPS protocols lower than TLS 1.2 for all virtual hosts with the SSLEnable directive enabled:
```
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
```
- If WebSphere Commerce is integrated with LDAP using SSL, set the SSL protocol to TLS 1.2.
- If outbound email is used over SSL, configure email to use TLS 1.2
- Ensure that browsers that are interacting with WebSphere Commerce are using TLS 1.2, for example Internet Explorer 8 or later on Windows 7 or later.
Optional: If you are using Bazaarvoice integration, work with your Bazaarvoice representative to switch the hashing algorithm on your account from the default configuration to HMAC_SHA256.
Ensure that web certificates and certificates that are used to integrate WebSphere Commerce with other applications (such as Sterling Order Management) are upgraded to satisfy the following NIST SP 800-131A specifications:
- All certificates with RSA or DSA keys that are shorter than 2048 bits must be replaced with certificates that are 2048 bits or higher.
- Certificates with elliptic curve keys shorter than 160 bits must be replaced with longer keys. Contact your certificate authority issuer (CA) for new certificates.
- All certificates must be signed by an allowed signature algorithm. For example, SHA-256, SHA-384, or SHA-512. SHA-1 digest algorithms are no longer allowed.
Enable NIST SP 800-131A strict mode.
The path of the ssl.client.props files to change:
- AppServer/profiles/demo/properties
- AppServer/profiles/demo_solr/properties
Restart your WebSphere Commerce site.