Enabling TLS 1.3 support

Functionality delivered in fix pack
32Learn how to enable TLS 1.3 communications.

About this task

The new version of GSKit supports TLS 1.3 communication, but, to allow compatibility with older certificates, it is not enabled by default in Tivoli Netcool/OMNIbus. To enable TLS 1.3 communication, the tls13_enable property must be set in the sslciphers.conf file.

Procedure

  1. If the sslciphers.conf file does not exist, then create the file in the following locations.
    • Linux: $NCHOME/etc/security/sslciphers.conf
    • Windows: %NCHOME%\ini\security\sslciphers.conf
  2. Open the sslciphers.conf file.
  3. Within the sslciphers.conf file, set the tls13_enable property to TRUE.
Note:

When TLS 1.3 communications are enabled, the key size for certificates must be 2048 or greater. Also, do not use the SHA1 signature algorithm for the certificates.

Use the nc_gskcmd command with the -cert and -details options. For more information, see nc_gskcmd command-line options. Alternatively, view the details with iKeyman to inspect existing certificates and verify that they have an acceptable key size and signature algorithm. For more information, see Viewing certificate details.