Configuring WebSphere Liberty to support TLS 1.2 for NIST SP 800-131

To comply with the US government SP 800-131 security standard, you can configure the WebSphere Liberty server that hosts IBM® Engineering Lifecycle Management applications to support the Transport Layer Security (TLS) 1.2 protocol.

About this task

Complete the following procedure to configure the WebSphere Liberty server that hosts IBM Engineering Lifecycle Management applications to support the Transport Layer Security (TLS) 1.2 protocol.

Procedure

  1. Go to JazzInstallDir/server and open the server.startup (server.startup.bat on Windows) file for editing.
  2. In the file, find the line set JAVA_OPTS=%JAVA_OPTS% -Djazz.connector.sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" on Windows platforms or JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2" on UNIX systems and delete it.
  3. Add the following lines:
    For Unix
operating systems
    JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslEnabledProtocols=TLSv1.2"
    JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2"
    JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.sp800-131=strict"
    JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.rational.rpe.tls12only=true"
    JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.overrideDefaultTLS=true"
    For Windows
operating system
    set JAVA_OPTS=%JAVA_OPTS% -Djazz.connector.sslEnabledProtocols=TLSv1.2
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.sp800-131=strict
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.rational.rpe.tls12only=true
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.overrideDefaultTLS=true
    Note: You need to add the jsse2.overrideDefaultTLS property if you are using Java version 8.0.7.0 or later.
  4. Save and close the file.
  5. Go to JazzInstallDir/server/liberty/servers/clm and open the server.xml file for editing.
    Note: The server must be started at least one time for the clm directory to be generated.
  6. In the <ssl id="defaultSSLConfig" section change the attribute sslProtocol to sslProtocol="TLSv1.2".
  7. Save and close the file.
  8. Restart the ELM servers for changes to take effect.