IBM Support

How to enforce WebSphere Application Server to use only TLSv1.2

How To


Summary

Steps to enforce the WebSphere Application Server to use TLSv1.2 and not a lower TLS version

Objective

Enforce the WebSphere Application Server to use TLSv1.2

Steps

Steps:
1. To log in to Dashboard Application Services Hub, type the following URL:
https://<host>:<port>/ibm/console/logon.jsp
where <host> is the host name of the Dashboard Application Services Hub server and <port> is the port number. The default port number is 16311.
  • Click Console Settings > WebSphere Administrative Console.
  • Click Launch WebSphere Administrative Console.
  • Click Security > SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings
  • In the Protocol field, select TLSv1.2.
  • Click Apply.
  • Click Save.
2. Edit the <JAZZ_Profile_Home>/properties/ssl.client.props file, where JAZZ_Profile_Home is /opt/IBM/JazzSM/profile by default.
Update the value of the com.ibm.ssl.protocol field to TLSv1.2. For example:
com.ibm.ssl.protocol=TLSv1.2
3. Apply test fix for APAR PI98768 in case are running WebSphere Application Server 8.5.5.14 - URL or apply fix pack 15
4. Set the jdk.tls.disabledAlgorithms and jdk.certpath.disabledAlgorithms  - APAR PI54960: provide property to set java security algorithm-related properties.
(See https://www.ibm.com/support/pages/pi54960provide-property-set-java-security-algorithm-related-properties)
 
Here are steps to set the custom properties:
To set a security custom property perform the following steps :
  • To log in to Dashboard Application Services Hub, type the following URL:
  • https://<host>:<port>/ibm/console/logon.jspCopy
  • where <host> is the host name of the Dashboard Application Services Hub server and <port> is the port number. The default port number is 16311.
  • Click Console Settings > WebSphere Administrative Console.
  • Click Launch WebSphere Administrative Console.
  • Click Security > Global security > Custom properties
  • Select New, in the box labeled Name add com.ibm.websphere.tls.disabledAlgorithms or com.ibm.websphere.certpath.disabledAlgorithms
  • In the box labeled Value enter either a comma-separated list algorithms or none if you don't want WebSphere to set the Security properties.
  • Apply and Save the changes.

The server needs to be restarted for the properties to take effect.
To test if a lower version of TLS is used then you can use openssl tool to check it out
openssl s_client -connect washost:port -no_tls1_2  

-> To find the ports used by the WebSphere Application Server , you can run: 
netstat -tulpn | grep WASPID

Document Location

Worldwide

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"SSEKCU","label":"Jazz for Service Management"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"1.1.3.x"},{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"8.5.5.x"}]

Document Information

Modified date:
09 January 2020

UID

ibm11169638