Configuring the TLS V1.3 security protocol

The following procedures enable you to configure the TLS V1.3 security protocol for IBM Workload Scheduler. If you want to configure your environment with the TLS V1.3 protocol, it is recommended to use a 4k-length certificate.

Note: TLS V1.3 security protocol support is available from IBM® Workload Scheduler version 10.1 FP4 onwards.
The configuration of the TLS V1.3 security protocol can be manually done on every component:

The configuration of the TLS V1.3 security protocol can only be set using custom certificates with RSA keys of at least 2K.

Dynamic agents

To enable the TLS V1.3 security protocol for dynamic agents you must open the <TWSDATA>/ITA/cpa/ita/ita.ini file and go to the ITA SSL section. Here you can set the security modifying the following keywords:
Enabling the TLS V1.3 security protocol exclusively
ssl version= TLSv1.3
ssl_ciphers=
Enabling the TLS V1.2 and TLS V1.3 security protocols
ssl version= atleast.TLSv1.2
ssl_ciphers=
where:
ssl_version
Specify the SSL version to be used. Supported values are:
  • atleast.TLSv1.0
  • atleast.TLSv1.1
  • atleast.TLSv1.2
  • atleast.TLSv1.3
where you specify the minimum version of the TLS protocol to be used. In this case, IBM Workload Scheduler uses the specified version of the protocol or a higher version, if supported.
  • max.TLSv1.0
  • max.TLSv1.1
  • max.TLSv1.2
  • max.TLSv1.3
where you specify the maximum version of the TLS protocol to be used. In this case, IBM Workload Scheduler uses the specified version of the protocol or a lower version.
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
where you specify the exact version of the TLS protocol to be used. In this case, IBM Workload Scheduler uses the specified version of the protocol.
ssl_ciphers
Define the ciphers that the workstation supports during an SSL connection.
If you want to use an OpenSSL cipher class, use the following command to find out the list of available classes:
openssl ciphers 

For a full list of supported ciphers, see SSL Ciphers and OpenSSL.

Note: The dynamic agents must be restarted after the modifications are completed.

WebSphere Application Server Liberty Base

The following procedures must be repeated for every IBM Workload Scheduler component in the environment that has WebSphere Application Server Liberty Base installed.

To enable the TLS V1.3 security protocol for WebSphere Application Server Liberty Base you must copy the <TWA_INSTALL_FOLDER>/usr/servers/engineServer/configDropins/defaults/ssl_config.xml file and paste it in the following folders:
  • <TWA_INSTALL_FOLDER>/usr/servers/engineServer/configDropins/overrides
  • <DWC_INSTALL_FOLDER>/usr/servers/dwcServer/configDropins/overrides
You must then edit the ssl_config.xml file:
Enabling the TLS V1.3 security protocol exclusively
sslProtocol="TLSv1.3"
Enabling the TLS V1.2 and TLS V1.3 security protocols
sslProtocol="TLSv1.2,TLSv1.3" 
No spaces can be used before or after the comma.
Note: WebSphere Application Server Liberty Base must be restarted after the modifications are completed.

Native components and fault-tolerant agents

The following procedures must be repeated for every native component and fault-tolerant agents in the IBM Workload Scheduler environment.

To enable the TLS V1.3 security protocol for native components and fault-tolerant agents, you must open the <TWSDATA>/localopts file. Choose the procedure that applies to the kind of certificates you are using:
Opens SSL
Enabling the TLS V1.3 security protocol exclusively
Set the ssl version keyword as follows:
ssl version = TLSv1.3
Note: The native components and fault-tolerant agents must be restarted after the modifications are completed.