To comply with the US government SP 800-131 security standard,
you can configure the WebSphere® Application Server that
hosts Rational® Engineering
Lifecycle Manager applications to support the Transport Layer Security
(TLS) 1.2 protocol.
Procedure
- Configure the TLS 1.2 protocol.
- Log on to the WebSphere Application Server Integrated
Solutions Console, and click .
- Under Related Items, click SSL
configurations.
- Click the default SSL settings link to open it and,
under Additional Properties, click Quality
of protection (QoP) settings.
- For the protocol, ensure that TLSv1.2 is
selected. For the Cipher suite groups, ensure that Strong is
selected. Click Update selected ciphers.
- Click OK, and save directly to
the master configuration.
- Configure the Federal Information Processing Standard (FIPS)
properties.
- Click the SSL certificate and key management link,
and then click Manage FIPS.
- In the Manage FIPS window, click Enable
SP800-131, and then select Strict.
- Click OK.
Tip: If you see the following non-compliant certificate
error, complete these steps:
- Under Related Items, click Convert
certificates.
- Ensure that the Algorithm setting is Strict.
- For the New certificate key size, select 2048
bits.
- Click OK and save directly to the master
configuration.
- Configure the properties in the ssl.client.props file.
Go to WAS_Profile_Dir/properties and
open the ssl.client.props file for editing. After
you complete your updates, save and exit the file.
- Search for com.ibm.security.useFIPS and
change the property to true.
- Search for com.ibm.websphere.security.FIPSLevel and
if the line does not exist add it, and then set the property to SP800-131.
- Search for com.ibm.ssl.protocol and
change the property to TLSv1.2.
- Search for com.ibm.ssl.enableSignerExchangePrompt,
and ensure that the property is set to true, so that
the signer certificate prompt is enabled.
- Add Java™ Virtual
Machine custom properties.
- Click and then click server1 to
open it.
- Under Server Infrastructure,
click .
- Under Additional Properties,
click and enter the
following three custom properties.
- com.ibm.team.repository.transport.client.protocol with
a value of TLSv1.2
- com.ibm.jsse2.sp800-131 with a value of strict
- com.ibm.rational.rpe.tls12only with a value of true
- Restart the application server.
- Run the WebSphere_directory/AppServer/profiles/profile_name/bin>serverStatus
-all command, and accept the certification with Y.
When you are prompted, log on with your administrator credentials.
What to do next
If you cannot access the Integrated Solutions Console from
the browser after changing the SSL protocols to TLS 1.2, the browser
might not be configured to support the protocol or does not support
the protocol. For information about configuring browsers to support
TLS 1.2, see
Configuring
browsers to support Transport Layer Security (TLS) 1.2.