Configuring TLS 1.2 between DCM and MQTT

You can configure TLS 1.2 between Distributed Cache Manager (DCM) and Message Queuing Telemetry Transport (MQTT) broker in IBM® Engineering Lifecycle Management applications to improve the security of your deployment.

Procedure

  1. Configure MQTT Broker support secure connections, see Configuring security for an endpoint for instructions.
  2. Import the certificate that is associated with the secure endpoint on MQTT Broker to client_keystore.jks of DCM.
  3. Include Java properties for TLS settings in the distributedCache.start.bat file as follows:

    -Dcom.ibm.jsse2.overrideDefaultTLS=true

    -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12

  4. Use the SSL protocol instead of TCP for MQTT broker address URL. Modify the distributedCache.cfg file as follows:
    [Counters]
    ...
    # MQTT Broker to use for publishing counter information
    broker = $E{MONITOR_MQTTBROKER,ssl://9.30.68.214:8883}
  5. Update includeProtocols and excludeProtocols to limit the allowed protocol to TLSv1.2 only in the distributedCache.cfg file as follows:
    [REST-SslContextFactory]
    keyStorePath = client_keystore.jks
    keyStorePassword* = {HRAaRQoT}
    excludeProtocols = SSLv3, TLSv1.1, TLSv1
    includeProtocols = TLSv1.2
    allowRenegotiate = false