Troubleshooting NIST SP800-131a environment configurations

If you are configuring IBM® Business Process Manager to support the National Institute of Standards and Technology (NIST) SP800-131a security standard, you might observe one or more of the following configuration issues.

Table 1. Potential NIST SP800-131a environment configuration issues and suggested actions
Symptom	Potential cause	What to do
Synchronization in the administrative console fails after conversion of certificates	The existing connection is using old certificates	Run the syncNode command
The deployment manager, node agent, or node cannot be stopped after you have made the changes to support NIST	`PROFILE_DIR`/properties/ssl.client.props file properties have not been updated	Update the `PROFILE_DIR`/properties/ssl.client.props file properties as they are not transferred during node synchronization
Browser cannot access the Process Admin console	The TLS 1.2 protocol might not be enabled in the browser	Use the ping command to test access to the specified host name Verify that TLS version 1.2 is enabled Use the grep command to verify that the SSL port is correct for the `listening` parameter in the SystemOut file Test the connection using a different browser. For example, Opera 12
The Process Portal is empty when only Microsoft Internet Explorer is used	Internet Explorer 9 is running in Internet Explorer 7 Browser Mode Internet Explorer 9 is running in Quirks Document Mode	In Internet Explorer 9, press F12 and check the Browser Mode In Internet Explorer 9, press F12 and check the Document Mode
PProcess Designer login fails, resulting in a`peer not authenticated` error message	The resources\ssl.client.props file is using `SSL_TLS` instead of `TLSv1.2` The Process Center signer certificate is not specified in the C:\IBM\ProcessDesigner\v8.5\etc\trust.p12 file	Configure the C:\IBM\ProcessDesigner\v8.5\resources\ssl.client.props client file to match your security standard. For example, strict mode or transition mode: Modify the `com.ibm.security.useFIPS` property to be set to `true`. Add the `com.ibm.websphere.security.FIPSLevel` property just below the `useFips` property. Set the property to `SP800-131` if strict mode is enabled and `transition` if transition mode is enabled. Change the `com.ibm.ssl.protocol` property to `TLSv1.2` if strict mode is enabled. If transition mode is enabled, ensure that the property matches the server protocol setting. Restart Process Designer. The time stamp for the etc\trust.p12 file must be later than the time at which you enabled NIST strict mode in the administrative console. To correct this situation, you can download Process Designer from Process Center again. The compressed file contains the appropriate etc\trust.p12 version.
Process Designer login displays an empty page with the `This program cannot display the webpage` message	Process Designeruses Microsoft Internet Explorer to open the Process Center page, which is the default perspective. As a result, this error appears when TLS version 1.2 is not enabled in Microsoft Internet Explorer	Verify that TLS version 1.2 is supported and enabled in Microsoft Internet Explorer and reopen Process Designer.
A configured Process Server does not show up in the Servers tab of the Process Designer	After the certificates were converted to the NIST SP 800-131a standard, Process Center and Process Server signers were not added to the Process Center and Process Server truststore	Confirm that the Process Server signer certificate is added to the Process Center truststore and that the Process Center signer certificate is added to the Process Server truststore
When Firefox is used, Process Designer playback fails and returns the `The connection was interrupted` error message	Firefox does not support TLS version 1.2	Change the default browser
When Microsoft Internet Explorer is used, Process Designer playback fails and returns the `Internet Explorer cannot display the webpage` error message	TLS version 1.2 is not enabled in Microsoft Internet Explorer	Change the default browser