Configuring TLSv1.2 on WebSphere

Last Updated : Nov 03, 2020 |

About this task

Use this procedure to configure TLSv1.2 on a WebSphere application server to work with POM for each incoming and outgoing communication.

When you use IBM WebSphere as an application server in a POM deployment, IBM WebSphere must meet the CEC-security requirement to communicate over TLSv1.2 on each of its interfaces.

Before you begin

Use the following:

  • Java 7 or 8.

  • WebSphere 8.5.5 or later versions.

Procedure

  1. Log on to the WebSphere Application Server Integrated Solutions Console by using a web browser.
  2. In the navigation pane, click Security > SSL certificate and key management.
  3. On the Related Items tab, click SSL configurations.
  4. Click the Default SSL settings link.
  5. On the Additional Properties page, click Quality of protection (QoP) settings.
  6. On the General Properties page, from the Protocol list, select TLSv1.2.
  7. In the Cipher suite settings area, from the Cipher suite groups list, select Strong.
  8. In the Cipher suite settings area, click Update selected ciphers.
  9. Click OK.

    Save the updated cipher files in the same location as the master configuration.

  10. In the navigation pane, click Security > SSL certificate and key management > Manage FIPS.
  11. On the Manage FIPS page, click Enable SP800-131 and then click Transition.
  12. Click OK.
  13. If the system displays a non-compliant certificate error, perform the following steps:
    1. On the Related Items, click Convert certificates.
    2. Set the Algorithm setting to Strict.
    3. From the New certificate key size list, select 2048 bits.
    4. Click OK.

      You can save the file in the same location as the master configuration.

  14. Navigate to the following location to access the ssl.client.props file:

    WAS_Profile_Dir/properties

  15. Open the ssl.client.props file and edit the following:
    1. Set the com.ibm.security.useFIPS property to true.
    2. Set the com.ibm.websphere.security.FIPSLevel property to SP800-131.

      If this line already exists, do not write this line again.

    3. Set the com.ibm.ssl.protocol property to TLSv1.2.
  16. Click Server > Server Types > WebSphere application servers > server1.
  17. On the Server Infrastructure page, click Java and Process Management > Process definition.
  18. On the Additional Properties tab, click Java Virtual Machine > Custom properties.
  19. On the Preferences page, create custom properties as follows:
    1. Select the com.ibm.team.repository.transport.client.protocol check box and set the corresponding value to TLSv1.2.
    2. Select the com.ibm.jsse2.sp800-131 check box and set the corresponding value to strict.
    3. Select the com.ibm.rational.rpe.tls12only check box and set the corresponding value to true.