NIST 800-131a

Special Publication 800-131a of the US National Institute of Standards and Technology (NIST) has new requirements for cryptography certificates, keys, and ciphers. Eclipse Amlen supports this new standard, and provides enhanced support for TLSv1.2.

You can configure Eclipse Amlen to comply to the NIST 800-131a requirements, and enforce minimum cipher strengths. Eclipse Amlen does not enforce minimum certificate and key strength. You must control which certificates are accepted by ensuring that weak certificates and keys are not installed on Eclipse Amlen.

The Eclipse Amlen JMS client uses only ciphers and protocols that conform to NIST 800-131a.

Note: Based on the NIST recommendation on use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation, Dual_EC_DRBG is not enabled on Eclipse Amlen. For more information about the NIST recommendation, see the Supplemental ITL bulletin for September 2013 on the NIST website.

To configure Eclipse Amlen to enforce the minimum cipher strength, configure the security profile of each endpoint as follows:

Set the minimum security protocol to TLSv1.2, TLSv1.1, or TLSv1. All levels of TLS are NIST 800-131a compliant, but use the highest version that is supported by all clients.
Set the ciphers to Fast or Best. Typically, the cipher lists are the same. However, Fast chooses the faster ciphers first, and Best chooses the stronger ciphers first.

For more information about configuring security profiles, see Configuring security profiles.