Updating to NIST SP 800-131A security standards

National Institute of Standards and Technology (NIST) Special Publications 800-131A (SP 800-131A) standard offers guidance to migrate to the use of stronger cryptographic keys and more robust algorithms. To ensure that you are fully compliant, refer to the NIST SP 800-131A standard.

About this task

To become NIST SP 800-131A compliant, ensure that your environment adheres to the following standards:
  • Digital signatures must use at least SHA-2 hashing algorithm, but SHA-1 hashing algorithm can continue to be used for validation. By default, HCL Commerce Version 9 uses SHA-2.
  • Ensure that cryptographic keys adhere to a minimum key strength of 112 bits.
  • For runtime environments, enable TLS 1.2 for SSL and disable protocols less than TLS 1.2.

Procedure

  1. Linux Ensure proper support for TLS 1.2 in pre-9.0.0.6 runtime environments. In HCL Commerce Versions 9.0.0.6+, TLS 1.2 is enabled by default.
    • If you are running an HCL Commerce version that earlier than Version 9.0.06, configure your web server to require TLS 1.2 as a minimum. For example, for IBM HTTP Server 9.0.0.5, add the following directive to your httpd.conf web server configuration file. This directive disables HTTPS protocols lower than TLS 1.2 for all virtual hosts with the SSLEnable directive enabled:
      SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
      You can find the file in the Web Server Docker container (projectname_web_1) at /opt/WebSphere/HTTPServer/conf/httpd.conf.
    • If HCL Commerce is integrated with LDAP using SSL, set the SSL protocol to TLS 1.2.
    • If outbound email is used over SSL, configure email to use TLS 1.2.
    • Ensure that browsers that are interacting with HCL Commerce are using TLS 1.2, for example Internet Explorer 8 or later on Windows 7 or later.
  2. Linux Ensure that web certificates and certificates that are used to integrate HCL Commerce with other applications (such as Sterling OMS) are upgraded to satisfy the following NIST SP 800-131A specifications:
    • All certificates with RSA or DSA keys that are shorter than 2048 bits must be replaced with certificates that are 2048 bits or higher.
    • Certificates with elliptic curve keys shorter than 160 bits must be replaced with longer keys. Contact your certificate authority issuer (CA) for new certificates.
    • All certificates must be signed by an allowed signature algorithm. For example, SHA-256, SHA-384, or SHA-512. SHA-1 digest algorithms are no longer allowed.
  3. Configure WebSphere Application Server for NIST SP 800-131A:
    Note: In a runtime development or quality assurance environment, you can access the WebSphere Application Server Administration Console by using the hostname that is running the Transaction Server Docker container. For a production environment, you might want to consider creating custom Run Engine commands to configure the settings into a new Docker image. For more information, see Creating your own Run Engine commands.
  4. Configure Liberty for NIST SP 800-131A: