Disabling SSLv3 for Directory Server Web Admin Tool.

Answer

The procedures below provide necessary steps to disable SSLv3 (enabling TLSv1) for the Directory Server Web Admin Tool

There are two components of Web Admin Tool & eWAS/WAS where SSLv3 could be disabled by explicitly enabling TLSv1.

A. Disabling SSLv3 for eWAS https port:

Note: For Full WebSphere Application Server
- Refer http://www-01.ibm.com/support/docview.wss?uid=swg21687173

a. Open a command prompt or a shell and cd into the profile's bin folder of embedded WebSphere Application Server installed.
For AIX/Linux/Solaris/HP-UX:

  cd <LDAP_Home>/appsrv/profiles/TDSWebAdminProfile/bin

For Windows:

  cd <LDAP_Home>\appsrv\profiles\TDSWebAdminProfile\bin

Where <LDAP_Home> is the Directory Server installation path as below:
For AIX/Solaris/HP-UX: /opt/IBM/ldap/<version>/
For Linux: /opt/ibm/ldap/<version>/
For Windows: C:\Program Files\IBM\LDAP\<version>\
Note: If you have installed SDS/TDS into a custom folder on Windows, then cd into the same.

and <Version> is the version of SDS/TDS such as V6.3.1, V6.3 or V6.2.

b. Make sure the embedded WebSphere Application Server is running:
For AIX/Linux/Solaris/HP-UX:

  ./serverStatus.sh server1

For Windows:

  .\serverStatus.bat server1

If the eWAS is running then it will result in the following type of output:

  ...
    ADMU0508I: The Application Server "server1" is STARTED

If the "server1" is not STARTED, then use the following to start the same:
For AIX/Linux/Solaris/HP-UX:

  ./startServer.sh server1

For Windows:

  .\startServer.bat server1

c. Start wsadmin:
For AIX/Linux/Solaris/HP-UX:

  ./wsadmin.sh -lang jython

For Windows:

  .\wsadmin.bat -lang jython

d. Get the list of SSL Configuration to find the values of "alias" and "scope", run the following wsadmin call at the wsadmin> prompt.

  AdminTask.listSSLConfigs('') 

The above wsadmin call results in the following:

  'alias: NodeDefaultSSLSettings managementScope: (cell):DefaultNode:(node):DefaultNode ' 

The configuration values are as below:
alias: NodeDefaultSSLSettings
scope: (cell):DefaultNode:(node):DefaultNode

e. Modify SSL configuration with wsadmin call using the values found in step d to change the ssl protocol to TLS (i.e. TLSv1), run the following at the wsadmin> prompt.

  AdminTask.modifySSLConfig('[-alias NodeDefaultSSLSettings -scopeName (cell):DefaultNode:(node):DefaultNode -sslProtocol TLS]') 

f. Save configuration from wsadmin, run the following at the wsadmin> prompt.

  AdminConfig.save()

g. Restart eWAS profile:
For AIX/Linux/Solaris/HP-UX:

  ./stopServer.sh server1

  ./startServer.sh server1

For Windows:

  .\stopServer.bat server1

  .\startServer.bat server1

B. Disabling SSLv3 for Web Admin Tool ldaps protocol when connecting with the target SDS/TDS ldap server:

a. Connect to Web Admin Tool via "Console Admin" login.

b. In the "Console Admin" Login - login as superadmin:

c. Goto "Console Administration -> Manage console properties -> SSL key database" and verify that the SSL key database settings are valid. Refer to knowledge center for additional details how to setup secure connections between IBM Security Directory Server and the IBM Security Directory Server Web Administration Tool.

d. Enable TLSv1 for ldaps protocol:

d. i. For Security Directory Server V6.4 or V6.3.1: Goto "Console Administration -> Manage console properties -> Manage security protocol" and select "TLS 1.0" option and click "OK" button to save settings. This action enables TLS 1.0 (TLSv1) as the secure protocol when Web Admin Connects to the target ldap server over ldaps (ldap secure) port.

d. ii. For Tivoli Directory Server V6.3 OR V6.2:
For V6.3 - APAR IO16024 provides this enhancement and hence requires 6.3.0.11 or later fix levels.

For V6.3 - APAR IO15734 provides this enhancement and hence requires 6.2.0.22 or later fix levels

cd into the folder where idswebapp.properties is located

For AIX/Linux/Solaris/HP-UX:

  cd <LDAP_Home>/appsrv/profiles/TDSWebAdminProfile/installedApps/DefaultNode/IDSWebApp.war.ear/IDSWebApp.war/WEB-INF/classes

For Windows:

  cd <LDAP_Home>\appsrv\profiles\TDSWebAdminProfile\installedApps\DefaultNode\IDSWebApp.war.ear\IDSWebApp.war\WEB-INF\classes

Where <LDAP_Home> is the Directory Server installation path as below:
For AIX/Solaris/HP-UX: /opt/IBM/ldap/<version>/
For Linux: /opt/ibm/ldap/<version>/
For Windows: C:\Program Files\IBM\LDAP\<version>\
Note: if you have installed SDS/TDS into a custom folder on Windows, then cd into the same.

and <Version> is the version of SDS such as V6.3 or V6.2

Edit idswebapp.properties file to include/update the following line:

  SSLContextAlgorithm=TLSv1

Valid values for SSLContextAlgorithm are listed below:

  For TDS V6.3: SSL, SSLv3, TLS, TLSv1, TLSv1.1, TLSv1.2, SSL_TLS or SSL_TLSv2
  For TDS V6.2: SSL, SSLv3, TLS, TLSv1 OR SSL_TLS
  

Refer to this Java SDK technote for more details on this SSLContextAlgorithm.

e. Restart eWAS profile after cd into the profile's bin folder of embedded WebSphere Application Server installed.

For AIX/Linux/Solaris/HP-UX:

  cd <LDAP_Home>/appsrv/profiles/TDSWebAdminProfile/bin

For Windows:

  cd <LDAP_Home>\appsrv\profiles\TDSWebAdminProfile\bin

Where <LDAP_Home> is the Directory Server installation path as below:
For AIX/Solaris/HP-UX: /opt/IBM/ldap/<version>/
For Linux: /opt/ibm/ldap/<version>/
For Windows: C:\Program Files\IBM\LDAP\<version>\
Note: if you have installed SDS/TDS into a custom folder on Windows, then cd into the same.

and <Version> is the version of SDS such as V6.3.1, V6.3 or V6.2
For AIX/Linux/Solaris/HP-UX:

  ./stopServer.sh server1

  ./startServer.sh server1

For Windows:

  .\stopServer.bat server1

  .\startServer.bat server1