Enabling TLS 1.1 and 1.0 for IBM Spectrum® Control ports

To enable TLS 1.1 and 1.0 for IBM Spectrum Control ports, update the java.security file (Alert, Data, Device, and Web server) and the server.config file (Export server).

Before you begin

IBM Spectrum Control ports have TLS 1.1 and 1.0 disabled by default for increased security. Therefore, IBM Spectrum Control will not be able to communicate with resources that do not support TLS 1.2. If you want to upgrade your resources to a version that supports TLS 1.2, contact your vendor. You can also re-enable TLS 1.1 and 1.0 for IBM Spectrum Control ports.

Procedure

  1. Stop all IBM Spectrum Control servers.
  2. Open the installation_dir/jre/conf/security/java.security file.
  3. To enable TLS 1.1 and 1.2 in the Alert, Data, Device, and Web server, remove the "TLSv1.1 ," text from the jdk.tls.disabledAlgorithms line.
    BEFORE:
     jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 1024, TLSv1, TLSv1.1 , EC keySize < 224, anon, NULL 
    AFTER:
     jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 1024, TLSv1, EC keySize < 224, anon, NULL 

    To enable TLS 1.0, 1.1, and 1.2 in the Alert, Data, Device, and Web server, remove the "TLSv1, TLSv1.1 ," text from the jdk.tls.disabledAlgorithms line.

    BEFORE:
     jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 1024, TLSv1, TLSv1.1 , EC keySize < 224, anon, NULL 
    AFTER:
    jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 1024, EC keySize < 224, anon, NULL 
  4. Open the installation_dir/export/conf/server.config file.
  5. To enable only TLS 1.1 in the Export server, change the "secureProtocol" value from "TLSv1_2_method" to "TLSv1_1_method".
    For example:
    "secureProtocol": "TLSv1_1_method"

    To enable only TLS 1.0 in the Export server, change the "secureProtocol" value from "TLSv1_2_method" to "TLSv1_method".

    For example:
    "secureProtocol":  "TLSv1_method"

    To enable TLS 1.0, 1.1, and 1.2 in the Export server, change the "secureProtocol" value from "TLSv1_2_method" to "".

    For example:
    "secureProtocol": ""

    You cannot configure the Export server such that only TLS 1.1 and 1.2 are enabled.

  6. Restart the IBM Spectrum Control servers.