Configuring TLS 1.3 on IBM WebSphere Liberty

You can configure the TLS 1.3 protocol for QMF for WebSphere® on IBM Websphere Liberty.

1. Navigate to path_to_liberty/wlp/usr/servers/{server_name} folder.
2. Open the server.xml file using a text editor.
3. Add following line between the <featureManager>...</featureManager> tag to enable the TLS feature on liberty: <feature>transportSecurity-1.0</feature>.
4. Add the following configuration after the closing tag </featureManager>:

   <!-- Define SSL configuration -->
       <sslDefault sslRef="defaultSSLConfig" trustStoreRef="defaultTrustStore" sslProtocol="TLSv1.3"/>
       
       <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore"/>
   
       <keyStore id="defaultKeyStore" location="key.p12" type="PKCS12"/>
   	<keyStore id="defaultTrustStore" location="truststore.p12" type="PKCS12" password="{TrustStorePassword}"/>
   
   <!-- Disable tracking dropin folder -->
   	<applicationMonitor dropinsEnabled="false"/>
   	
   	<!-- Disable tracking application file for update. Application is updated only during server start-->
   	<applicationMonitor updateTrigger="disabled"/>
   	
       <!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
       <httpEndpoint id="defaultHttpEndpoint"
                     host="*"
                     httpPort="8040"
                     httpsPort="8448" />
   

   You do not need to add a keystore password here as it is saved in the server.env file and the server picks up the file automatically while starting up. To set up truststore, replace {TrustStorePassword}with the password for the truststore you have generated.

   Note: The HTTP port is enabled at 8040 and the HTTPS port is enabled at 8448, you can change these port values when required.
5. Configure User Access Registry or LDAP based on the requirement to access QMF applications and use the <webApplication> tag to deploy.