Migrating a flow that uses SSLv3
All message flows that use SSLv3 should be updated to use TLS.
About this task
SSLv3 is disabled by default in IBM® App Connect Enterprise 13.0, because SSLv3 is no longer considered secure due to the POODLE vulnerability (see http://www.ibm.com/support/docview.wss?uid=swg21687678).
Flows that attempt to use SSLv3 report connection failures. For example:
- BIP3544E: Failed to create an SSL connection to the remote host. Reason 'java.security.NoSuchAlgorithmException: SSLv3 SSLContext not available'.
- BIP3135S: An exception occurred while starting the servlet engine connector. Exception text is HTTP Listener org.apache.catalina.LifecycleException: Failed to start component.
For each integration server that hosts message flows that use SSLv3, complete one of the
following steps:
- Update the message flows to use TLS. Note: You must update both sides of any communication to use TLS:
- For any inbound communication to IBM App Connect Enterprise, the sending application must also be updated.
- For any outbound communication from IBM App Connect Enterprise, the receiving application must also be updated.
- It is strongly recommended that these changes are made to avoid the known security vulnerability
in SSLv3. However, if it is not possible to use TLS communication between IBM App Connect Enterprise and external applications, SSLv3 can be re-enabled by using the
following commands:
- Re-enable SSLv3 support for an integration node (applies to all of its integration
servers):
mqsichangeproperties Int_Node -o BrokerRegistry -n allowSSLv3 -v true
- Re-enable SSLv3 support for a specific integration
server:
mqsichangeproperties Int_Node -e Int_Server -o ComIbmJVMManager -n allowSSLv3 -v true
- Re-enable SSLv3 support for an integration node (applies to all of its integration
servers):