IBM Support

Usage of TLS 1.2 with IBM InfoSphere Information Server

Question & Answer


Question

How do I use TLS 1.2 with IBM InfoSphere Information Server

Cause

Incomplete settings for TLS 1.2 usage results in a number of different errors related to SSL handshake, authentication, certificates, ciphers etc

Answer

Note:
New installations of Information Server 11.7.1.3, and existing installations that are upgraded to 11.7.1.3 or later, will automatically see the network protocol changed to TLS 1.2; hence they do not have to do the following actions. See the 11.7.1.3 install instructions for additional actions that may be needed.

Actions are needed on each of the tiers. Additionally, in situations where only TLS 1.2 is intended to be used, besides Information Server components, one must also configure browsers, databases, .Net etc to only permit TLS 1.2, and ensure that they have been upgraded to an appropriate version.

1. For WebSphere Network Deployment:
           a. In WebSphere administration console,
                  i.  Go to Security -> SSL certificate and key management ->SSL configurations ->IISSSL Configuration -> Quality of Protection (QoP) settings
                       Set Protocol = TLSv1.2
                       Apply and OK the changes.
                  ii. Go to Security -> SSL certificate and key management ->SSL configurations ->NodeDefaultSSL Settings -> Quality of Protection settings
                       Set Protocol = TLSv1.2
                       Apply and OK the changes.
    
              NOTE: After updating NodeDefaultSSLSettings to TLS 1.2, you will not be able to stop WebSphere Application Server if you have not yet set com.ibm.ssl.protocol=TLSv1.2 in /opt/IBM/WebSphere/AppServer/profiles/InfoSphere/properties/ssl.client.props.
           b. In another window, edit the protocol setting in the ssl.client.props files; set the protocol:
                    /opt/IBM/WebSphere/AppServer/profiles/InfoSphere/properties/ssl.client.props
                    /opt/IBM/WebSphere/AppServer/profiles/dmgr1/properties/ssl.client.props (for deployment manager)
                           com.ibm.ssl.protocol=TLSv1.2
 
            c. Back in the WebSphere administration console, click the "Save" link label near the top of screen.
                After saving the changes, log out of the console.
                Restart WebSphere Application Server for the changes to take effect.

2. For WebSphere Liberty profile:
           a.  Shut down the server
                    /opt/IBM/InformationServer/wlp/bin/server stop iis
           b. Edit \IBM\InformationServer\wlp\usr\servers\iis\bootstrap.properties; set the protocol   
                    iis.ssl.sslProtocol=TLSv1.2
           c. Restart the server    
                    /opt/IBM/InformationServer/wlp/bin/server start iis
 
3. Update the value for com.ibm.iis.ssl.protocol in the following locations
         Services tier: ASBServer/conf/iis.client.site.properties
         Engine tier: ASBNode/eclipse/plugins/com.ibm.iis.client/iis.client.site.properties
         Client tier: ASBNode/eclipse/plugins/com.ibm.iis.client/iis.client.site.properties
               com.ibm.iis.ssl.protocol=TLSv1.2
 
4. Run UpdateSignerCerts from ASBServer/bin and ASBNode/bin on all tiers (you must have write permission on the truststore).
           /opt/IBM/InformationServer/ASBServer/bin/UpdateSignerCerts.sh -url <hostname>:<port>

5. For clustered configuration, the above steps must be done on the Deployment manager and each node.
     A full restart of the deployment manager and nodes must be done.
6. Upgrade the JDKs to an appropriate level (for quick reference, here is the October 2016 JDK)
 

7.  Refer to the Related information section of this technote, for technotes of Information Server components that need component-specific actions related to the usage of TLS 1.2.

For Connectivity components, note the following:

  • the File Connector does not need any configuration changes
  • for Hierarchical Stage, upgrade to 11.5.0.2 (no configuration changes are needed)
  • for Salesforce Data Connector see the linked techNotes
  • actions for other connectors, if any, is yet to be determined.
 

Change History:
26 April 2017: Original version published
27 April 2017: Added version based links for Salesforce Data Connector
11 May 2017: Updated argument in sample UpdateSignerCerts.sh command
14 May 2017: Added information for Hierarchical stage
06 June 2017: Removed step to set protocol in ASBServer/conf/ssl.client.props file
27 June 2017: Added related link to IMAM techNote
18 May 2018: Added related link to technote for support in DataStage Clients
17 May 2019: Added related link for enabling TLS Communications to DB2 Databases
21 July 2021: Removed duplicate links to DataStage technote
29 July 2021: Added link to technote for DataStage Web Services Pack

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.7;11.5;11.3","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
21 July 2022

UID

swg22001891