National Institute of Standards and Technology (NIST) security compliance

To conform to the security requirements for the National Institute of Standards and Technology (NIST) standards as specified in the publication 800-131a, applications must use strengthened security by defining specific algorithms that can be used and what their minimum strengths are.

These standards specify the cryptographic algorithms and key lengths that are required to remain compliant with NIST security standards. For more information on NIST security standards, see http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf.

Algorithms and key strengths that are not allowed for strict NIST 800-131a compliance include::

  • RSA key size < 2048
  • DSA key size < 2048
  • EC keys < 224
  • SHA1
  • SHA-1
  • MD2
  • MD4
  • MD5
  • RC2
  • RC4
  • DES

Sterling B2B Integrator works in two security compliance modes:

  • Non-NIST 800-131a compliance (default)
  • Strict NIST 800-131a compliance
The following applies to all adapters, services and components when working in NIST 800-131a compliance mode:
  • If an adapter, service, or component is configured with non-NIST 800-131a compliant information, the configuration summary page for that component will indicate non-NIST compliance. To maintain compliance, you must re-configure the adapter, service, or component with NIST 800-131a compliance information.
  • When you re-configure an adapter, service, or component it forces the usage of NIST 800-131a compliance information; therefore, any non-NIST 800-131a compliance information will not be available.
  • If an adapter or service is configured with non-NIST 800-131a compliance information, it is disabled; you can not restart it without reconfiguration with information that supports NIST 800-131a compliance.

For more information about NIST 800-131a compliance, please see http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf.

Property files contain properties that control the operation of Sterling B2B Integrator. To enable NIST 800-131a compliance mode, you must modify the values of these properties. For more information about changing property files, see Working with Property Files documentation for general information about how to work with Property Files.
  1. Stop the system.
  2. For UNIX, navigate to /install_dir/properties/security.properties directory. For Windows, navigate to \install_dir\properties\security.properties directory.
  3. Edit the following parameter in the properties file: NIST.800-131a=strict
  4. Save and exit the file.
  5. Start the system.
Property files contain properties that control the operation of Sterling B2B Integrator. To disable NIST 800-131a compliance mode, you must modify the values of these properties. For more information about changing property files, see Working with Property Files documentation for general information about how to work with Property Files.
  1. Stop the system.
  2. For UNIX, navigate to /install_dir/properties/security.properties directory. For Windows, navigate to \install_dir\properties\security.properties directory.
  3. Edit the parameter in the property file: NIST.800-131a=off
  4. Save and exit the file.
  5. Start the system.

Sterling B2B Integrator contains seven system certificates: OpsDrv, OpsKey, B2BHttp, UIKey, ASISslCert, DefDBCrypt, and doccrypto. All seven RSA certificates have been upgraded from 1024 key strength and SHA1withRSA signature algorithm to 2048 key strength and SHA256withRSA signature algorithm with exception to doccrypto; a new certificate named doccrypto2 with 2048 key strength and SHA256withRSA signature algorithm was added for NIST 800-131a compliance in strict mode and deployed with Sterling B2B Integrator, version 5.2.4.2. All the new documents in the system will be encrypted with these new certificates after NIST 800-131a patch upgrade.

To ensure you have the correct encryption for your selected certificate to ensure NIST 800-131a compliance, you can verify that the correct certificate was used by locating the key strength of the certificate.
  1. From the Trading Partner menu, select Digital Certificates > System > List All.
    A list of System Certificates is displayed.
  2. Locate and select the certificate name you want to review.
    The Certificate Summary displays a detailed list of the certificate properties.
  3. Locate the Public Key Length. To ensure NIST 800-131a compliance in strict mode, the Public Key Length is: 2048; if the Public Key Length indicates 1024 for strict mode and an old certificate is being used, the certificate needs to be updated or no longer used.
  4. If the certificate is non-NIST compliant, when selected, the following message appears, Not NIST 800-131a compliant.

An Adapter will be disabled as a result of NIST 800-131a compliance when adapters are configured in "off" mode using noncompliant data, such as noncompliant certificates and cipher strength, and are switched to strict mode.

If a non-NIST 800-131a compliant system certificate, CA certificate, or cipher strength are used when in strict mode, the server adapter is disabled and messages are logged into the log file for the adapter. You must re-configure the non-NIST 800-131a compliant adapter by using a NIST 800-131a compliance certificate and cipher strength to enable the adapter.

If an adapter is disabled as a result of non-NIST 800-131a compliant certificate or cipher strength, a message appears on the Adapter details page, Not NIST 800-131a compliant. If you receive an error, you must re-configure the adapter for NIST 800-131a compliance.

Client Adapters

If a client adapter is configured with a non-NIST 800-131a compliance system certificate, trusted certificate, CA certificate, or cipher strength in strict mode, the communication with the server will fail. If you receive a failure, you must re-configure the client adapter for NIST 800-131a compliance

If an error appears because a certificate or cipher strength utilized is not strong enough for NIST 800-131a compliance, you will need to re-configure it.

For example, if you are using certificates, you can replace the old, non-NIST 800-131a compliance certificate with a NIST 800-131a compliance certificate by navigating to the area of the system where the certificate is configured for that system component.

Once you re-configure the component with the new certificate or NIST 800-131a compliance information, the adapter, service or system component will be re-enabled.

For adapters using SSL, only Strong cipher strength is an available selection during configuration. When running in NIST 800-131a strict mode, these cipher suites are supported:

SSL_RSA_WITH_AES_128_CBC_SHA256

SSL_RSA_WITH_AES_256_CBC_SHA256

NIST 800-131a compliant cipher suites

Only NIST 800-131a compliant cipher suites are used when running in NIST 800-131a compliance mode. Strong cipher suites can also be configured in off mode; however, only strong cipher suites can be used in strict mode.

Use the parameter NISTCompliantCipherSuite in security.properties to view a list of NIST 800-131a compliant cipher suites.
Note: Do not modify the NISTCompliantCipherSuite entry.
In addition to the above cipher suites, the following ciphers are supported:
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
  • SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
Enabling the Ciphers in Sterling B2B Integrator
  • If NIST.800-131a=off, perform the following:
    1. Stop Sterling B2B Integrator.
    2. Add the following properties in customer_override.properties file
      
      security.CipherSuiteDefault=SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,SSL_RSA
      WITH_AES_256_GCM_SHA384,SSL_RSA_WITH_AES_256_CBC_SHA256,SSL_RSA_WITH
      AES_256_CBC_SHA,SSL_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_
      CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_256_CBC
      _SHA384,SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,SSL_DHE_DSS_WITH_AES_256_C
      BC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA3
      84,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_256_
      GCM_SHA384,SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_RSA_WITH_AES
      _256_GCM_SHA384
      
    3. Restart Sterling B2B Integrator.
  • If NIST.800-131a=on, perform the following:
    1. Stop Sterling B2B Integrator.
    2. Add the following properties in customer_override.properties file
      
      security.NISTCompliantCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH
      _AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AE
      S_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AE
      S_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_
      AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WIT
      H_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_E
      CDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EC
      DHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_
      SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_2
      56_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_G
      CM_SHA384,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_
      AES_256_GCM_SHA384,SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_DHE_RSA_
      WITH_AES_256_GCM_SHA384
      
    3. Restart Sterling B2B Integrator.

Client adapters with SSL

If a client adapter is configured with a non-NIST 800-131a compliant system certificate, CA certificate, or cipher strength in strict mode, the communication to the server will fail.

If you receive an error, you must re-configure the adapter for NIST 800-131a compliance.

TLS Version

In strict mode, the parameter SSLHelloProtocolForNISTStrict in security. Properties controls TLS versions used. It is set to TLS1.2-ONLY. If you are using NIST 800-131a strict compliance, you should not change this value.

If NIST 800-131a is off, the parameter SSLHelloProtocol=TLS1-TLS1.2 in security. Properties controls TLS versions used and is set to TLS1.0, TLS1.1, and TLS1.2.

If you use TLS 1.2 in communication with your trading partner and client authentication for SSL is specified, the key length of the certificate used for client authentication must be at least 1024; otherwise, you will get “intended enc. msg. too short” error during the beginning of an SSL session with your trading partner. In this case, you have to upgrade certificate with the key length at least 1024.

TLS 1.2 is supported in Sterling B2B Integrator default mode, when not in NIST 800-131a compliance mode.

Mail Servers not supporting TLS 1.2

SMTP and B2B mail client adapters use the mail server for communication. If you are using a mail server that does not support TLS 1.2, when you run in NIST 800-131a strict mode, all the communications over SSL with this mail server will fail with a handshake error.

Import

When using Sterling B2B Integrator in strict mode, non-NIST 800-131a compliance certificates are not imported into the system, even when using a command line script, import.sh.

When a non-NIST 800-131a compliance certificate is used, the import report will indicate that a failure occurred with the non-NIST 800-131a compliance certificate listed.

If you are using the Sterling B2B Integrator user interface to import a non-NIST 800.131a compliant certificate, an error message appears indicating that the certificate is not compliant.

Export

You can export all certificates regardless of NIST 800-131a compliance.

Sterling B2B Integrator includes updated certificates from 1024 key strength and SHA1withRSA signature algorithm to 2048 key strength and SHA256withRSA signature algorithm for these system certificates:

  • OpsDrv
  • OpsKey
  • B2BHttp
  • UIKey
  • ASISsICert
  • DEfDBCrypt
  • doccrypto2
    Note:
    doccrypto2 is an updated name for NIST 800-131a compliance. doccrypto will remain in the system to allow decryption of legacy documents that are encrypted by it; however, any new documents encrypted with this new certificate after the patch upgrade will be decrypted with doccrypto2.

SHA256 is supported in Sterling B2B Integrator default mode, when not in NIST 800-131a compliance mode.

If you are running Sterling B2B Integrator in NIST 800-131a strict mode and if any certificate has the Auth Chain flag enabled, then all certificates in its chain (root certificates) must be NIST 800-131a compliant for successful validation.

If one or more certificates in the auth chain are not NIST 800-131a compliant, an error message appears on the summary page of the certificate indicating they are not NIST 800-131a compliant and you will be unable to use this certificate in NIST 800-131a compliance mode.

Note: The Auth Chain flag should not be enabled for self-signed certificates.