Enforcing the use of TLS 1.2 protocols and upgrading certificates

Enable TLS 1.2 protocols on the application server and then convert the existing keystore certificates to use the key size and algorithms that are required for SP800-131 compliance.This task is optional for transition mode, but required for strict mode.

1. Log in to the administrative console and click Security > SSL certificate and key management and then, under Configuration settings, click Manage FIPS.
2. Select Update SSL configurations to require TLSv1.2. Then click OK and save the changes.
3. Edit the TIP_HOME/java/jre/lib/security/java.security file as follows:
   1. Comment out IBMJCEFIPS, which is the first provider.
   2. Renumber the remaining providers in the file, so that the numbering starts with the first uncommented provider.
   3. Restart the Tivoli Integrated Portal server.
4. Log in to the administrative console and click Security > SSL certificate and key management > SSL Configurations.
5. Select a SSL configuration from the collection panel. Then, under Related Items, select Quality of protection (QoP).
6. Select TLSv1.2 from the Protocol list and then click Apply/Save.
   Tip: To change the SSL protocol using scripting, the modifySSLConfig task can also be used.
7. To replace certificates, use one of the following methods. Certificates must have a minimum size of 2048 (244 if an Elliptical Curve certificate), and signed with SHA256, SHA384, or SHA512. You can create new ones on the console and replace the old one, or import certificates that meet the standards requirements.
   • Use the Convert Certificate panel. This panel converts all certificates to meet the standard specified.
   • Use the personal certificate panels to create new certificates and replace a certificate that does not meet the requirements.
   • Use the personal certificate panels to import certificates and to replace the certificate that does not meet the requirements. Some certificate come from external sources such as a Certificate Authority (CA).
   For more information about how to replace certificates, search for "replace certificates" on the following page: http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=%2Fcom.ibm.websphere.express.doc%2Finfo%2Fexp%2Fae%2Ftsec_transition_sp300.html.
8. Edit the TIP_HOME/profiles/TIPProfile/properties/ssl.client.props file as follows:
   • Leave the following line in place:com.ibm.websphere.security.useFIPS=true.
   • After that, add the following line, if it does not already exist:com.ibm.websphere.security.FIPSLevel=transition.
   • Change the com.ibm.ssl.protocol property as follows:com.ibm.ssl.protocol=TLSv1.2.
   • Change the com.ibm.ssl.enableSignerExchangePrompt property as follows: com.ibm.ssl.enableSignerExchangePrompt=true.
9. Stop and then restart the Tivoli Integrated Portal server. When you are prompted to add the new signer to the Tivoli Integrated Portal truststore, click Yes.

   Do not use Windows services to stop the server, because you are not prompted to add the new signer.

   If the stopServer process fails, use a kill command to stop Tivoli Integrated Portal manually.