IBM Support

Usage of TLS 1.2 with IBM InfoSphere Information Server

Question & Answer


Question

How do I use TLS 1.2 with IBM InfoSphere Information Server

Cause

Incomplete settings for TLS 1.2 usage results in a number of different errors related to SSL handshake, authentication, certificates, ciphers and so on

Answer

Note:
The network protocol is automatically changed to TLS 1.2 in new installations of Information Server 11.7.1.3 (or later), and existing installations that are upgraded to 11.7.1.3 (or later). Hence, in those installations, the following actions are not needed. See the 11.7.1.3 installation instructions for additional actions that might be needed to complete the change.

In situations where only TLS 1.2 is configured, in addition to Information Server components, one must also configure browsers, databases, .Net and so on to permit only TLS 1.2. Ensure that they are upgraded to an appropriate version.
Actions are needed on each of the tiers.

1. For WebSphere Network Deployment:
           a. In WebSphere administration console,
                  i.  Go to Security -> SSL certificate and key management ->SSL configurations ->IISSSL Configuration -> Quality of Protection (QoP) settings
                       Set Protocol = TLSv1.2
                       Apply and OK the changes.
                  ii. Go to Security -> SSL certificate and key management ->SSL configurations ->NodeDefaultSSL Settings -> Quality of Protection settings
                       Set Protocol = TLSv1.2
                       Apply and OK the changes.
    
              NOTE: After NodeDefaultSSLSettings is updated to TLS 1.2, you will not be able to stop WebSphere Application Server if com.ibm.ssl.protocol=TLSv1.2 is not yet set in /opt/IBM/WebSphere/AppServer/profiles/InfoSphere/properties/ssl.client.props.
           b. In another window, edit the protocol setting in the ssl.client.props files; set the protocol:
                    /opt/IBM/WebSphere/AppServer/profiles/InfoSphere/properties/ssl.client.props
                    /opt/IBM/WebSphere/AppServer/profiles/dmgr1/properties/ssl.client.props (for deployment manager)
                           com.ibm.ssl.protocol=TLSv1.2
 
            c. Back in the WebSphere administration console, click the "Save" link label near the top of screen.
                Save the changes, and log out of the console.
                Restart WebSphere Application Server for the changes to take effect.

2. For WebSphere Liberty profile:
           a.  Shut down the server
                    /opt/IBM/InformationServer/wlp/bin/server stop iis
           b. Edit \IBM\InformationServer\wlp\usr\servers\iis\bootstrap.properties; set the protocol   
                    iis.ssl.sslProtocol=TLSv1.2
           c. Restart the server    
                    /opt/IBM/InformationServer/wlp/bin/server start iis
 
3. Update the value for com.ibm.iis.ssl.protocol in the following locations
         Services tier: ASBServer/conf/iis.client.site.properties
         Engine tier: ASBNode/eclipse/plugins/com.ibm.iis.client/iis.client.site.properties
         Client tier: ASBNode/eclipse/plugins/com.ibm.iis.client/iis.client.site.properties
               com.ibm.iis.ssl.protocol=TLSv1.2
 
4. Run UpdateSignerCerts from ASBServer/bin and ASBNode/bin on all tiers (you must have write permission on the truststore).
           /opt/IBM/InformationServer/ASBServer/bin/UpdateSignerCerts.sh -url <hostname>:<port>

5. For clustered configuration, the previous steps must be done on the Deployment manager and each node.
     A full restart of the deployment manager and nodes must be done.
6. Upgrade the JDKs to an appropriate level (for quick reference, here is the October 2016 JDK)
 

7.  Refer to the Related information section of this technote, for technotes of Information Server components that need component-specific actions related to the usage of TLS 1.2.

For Connectivity components, note the following:

  • the File Connector does not need any configuration changes
  • for Hierarchical Stage, upgrade to 11.5.0.2 (no configuration changes are needed)
  • for Salesforce Data Connector see the linked technotes
  • actions for other connectors, if any, is yet to be determined.
 

Change History:
26 April 2017: Original version published
27 April 2017: Added version-based links for Salesforce Data Connector
11 May 2017: Updated argument in sample UpdateSignerCerts.sh command
14 May 2017: Added information for Hierarchical stage
06 June 2017: Removed step to set protocol in ASBServer/conf/ssl.client.props file
27 June 2017: Added related link to IMAM technote
18 May 2018: Added related link to technote for support in DataStage Clients
17 May 2019: Added related link for enabling TLS Communications to DB2 Databases
21 July 2021: Removed duplicate links to DataStage technote
29 July 2021: Added link to technote for DataStage Web Services Pack
13 February 2023: Added link to configure TLS & cipher suites on Microservices tier
27 April 2023: Updated links to other technotes; Added links for Oracle and SQL Server

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.7;11.5;11.3","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
27 April 2023

UID

swg22001891

Page Feedback