Configuring IBM WebSphere Liberty to support TLS 1.2 for NIST SP 800-131

To comply with the US government SP 800-131 security standard, you can configure the IBM IBM WebSphere Liberty server that hosts IBM Engineering Lifecycle Management applications to support the Transport Layer Security (TLS) 1.2 protocol.

1. Go to JazzInstallDir/server and open the server.startup (server.startup.bat on Windows) file for editing.
2. In the file, find the line set JAVA_OPTS=%JAVA_OPTS% -Djazz.connector.sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" on Windows platforms or JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2" on UNIX systems and delete it.
3. Add the following lines:
   

   JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslEnabledProtocols=TLSv1.2"
    JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2"
    JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.sp800-131=strict"
    JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.rational.rpe.tls12only=true"
    JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.jsse2.overrideDefaultTLS=true

   

   set JAVA_OPTS=%JAVA_OPTS% -Djazz.connector.sslEnabledProtocols=TLSv1.2
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.sp800-131=strict
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.rational.rpe.tls12only=true
    set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.overrideDefaultTLS=true

   Note: You need to add the jsse2.overrideDefaultTLS property if you are using Java version 8.0.7.0 or later.
4. Save and close the file.
5. Go to JazzInstallDir/server/liberty/servers/clm and open the server.xml file for editing.
   Note: The server must be started at least one time for the clm directory to be generated.
6. In the <ssl id="defaultSSLConfig" section change the attribute sslProtocol to sslProtocol="TLSv1.2".
7. Save and close the file.
8. Restart the Engineering Lifecycle Management servers for changes to take effect.