Enabling TSL v1.2 on the virtual MDM Workbench

To enable TSL v1.2 on the virtual MDM Workbench by taking the following steps:

Procedure

  1. Export the server certificate and install it into the JVM used by the virtual MDM Workbench. Use ikeyman to obtain the certificate from the server by taking the following steps:
    1. On the machine where the server is installed, open ikeyman.exe in the WebSphere® Application Server jre/bin directory to obtain the certificate from the server.
    2. Click the Open a key database file icon, then, in the window that opens, click Browse and locate DummyClientTrustFile.jks in your WebSphere Application Server profile. The default location might be similar to <WebSphere_install_dir>/profiles/<profile_name>etc/DummyClientTrustFile.jks. Click OK when you find the file.
    3. When prompted for a password, use WebAS in a normal installation.
    4. Select Signer Certificates from the list, select default_signer, and click Extract. Note the location and name of the certificate as it is required later.
    5. Click OK to save the file.
  2. Update the Default Trust Store by taking the following steps:
    1. Copy the exported server certificate to the machine where Workbench is installed and open ikeyman.exe in the Workbench jre/bin directory.
    2. Click the Open a key database file icon and browse to the JRE cacerts in the JRE's /lib/security directory.
    3. When prompted for a password, enter changeit.
    4. Click Add and browse to the file that contains the server certificate you exported. You might need to set the file types field to All files.
    5. Click OK when the correct file is selected in the Open window.
    6. Enter a label for the certificate.
  3. Modify the ssl.client.props file to enable TLS v1.2. In a default installation, the config.ini file in <RAD/RSA_install_dir>/configuration defines the com.ibm.SSL.ConfigURL property to point to <RAD/RSA_install_dir>/runtimes/base_stub/properties/ssl.client.props. You can modify this file by taking the following steps:
    1. Modify com.ibm.security.useFIPS to be set to true.
    2. Add com.ibm.websphere.security.FIPSLevel=SP800-131 just after the useFips property.
    3. Change the com.ibm.ssl.protocol property to TLSv1.2.
    4. Optional: You can also point to a different ssl.client.props file by specifying -Dcom.ibm.SSL.ConfigURL=<path_to_your_own_ssl.client.props> on the command line that launches the MDM Workbench in IBM® Rational® Application Developer.
  4. Add the com.ibm.ws.security.crypto.jar file to the JRE lib/etc directory by taking the following steps:
    1. Copy com.ibm.ws.security.crypto.jar from <RAD/RSA_install_dir>/runtimes/base_v85_stub/runtimes to the <RAD/RSA_install_dir>/jdk/jre/lib/ext directory.
    2. Restart IBM Rational Application Developer. The MDM Workbench communicates to the virtual MDM operational server over a JMX connection when a configuration is deployed or when running a job set. Other actions use the virtual MDM operational server API such as:
      • importing a configuration from the Master Data Management menu
      • performing Connect and Disconnect actions in the Source Sequence Identifiers view
      • comparing a configuration from the Configuration Comparison view
      When one of these operations is started, a login dialog is displayed. Enter the login credentials, host, and port information. When using a secure connection, use the WC_defaulthost_secure port for the target server. In a typical installation this is port 9443, but you should check these values by using the IBM WebSphere Application Server Administrative Console. When using the WC_defaulthost_secure port the Is port secure? box should also be selected. For more information, see step 1, SDK for Java™, in Configuring virtual MDM runtime integration with the engine.

Last updated: 27 Jun 2018