Configuring WebSphere Application Server to support TLS 1.2

To comply with the US government SP 800-131 security standard, you can configure the WebSphere® Application Server that hosts Rational® Engineering Lifecycle Manager applications to support the Transport Layer Security (TLS) 1.2 protocol.

Procedure

  1. Configure the TLS 1.2 protocol.
    1. Log on to the WebSphere Application Server Integrated Solutions Console, and click Security > SSL certificate and key management.
    2. Under Related Items, click SSL configurations.
    3. Click the default SSL settings link to open it and, under Additional Properties, click Quality of protection (QoP) settings.
    4. For the protocol, ensure that TLSv1.2 is selected. For the Cipher suite groups, ensure that Strong is selected. Click Update selected ciphers.
    5. Click OK, and save directly to the master configuration.
  2. Configure the Federal Information Processing Standard (FIPS) properties.
    1. Click the SSL certificate and key management link, and then click Manage FIPS.
    2. In the Manage FIPS window, click Enable SP800-131, and then select Strict.
    3. Click OK.
    Tip: If you see the following non-compliant certificate error, complete these steps:
    screen capture of the error message showing that the certificate is non-compliant
    1. Under Related Items, click Convert certificates.
    2. Ensure that the Algorithm setting is Strict.
    3. For the New certificate key size, select 2048 bits.
    4. Click OK and save directly to the master configuration.
  3. Configure the properties in the ssl.client.props file.

    Go to WAS_Profile_Dir/properties and open the ssl.client.props file for editing. After you complete your updates, save and exit the file.

    1. Search for com.ibm.security.useFIPS and change the property to true.
    2. Search for com.ibm.websphere.security.FIPSLevel and if the line does not exist add it, and then set the property to SP800-131.
    3. Search for com.ibm.ssl.protocol and change the property to TLSv1.2.
    4. Search for com.ibm.ssl.enableSignerExchangePrompt, and ensure that the property is set to true, so that the signer certificate prompt is enabled.
  4. Add Java™ Virtual Machine custom properties.
    1. Click Server > Server Types > WebSphere application servers and then click server1 to open it.
    2. Under Server Infrastructure, click Java and Process Management > Process definition.
    3. Under Additional Properties, click Java Virtual Machine > Custom properties and enter the following three custom properties.
      • com.ibm.team.repository.transport.client.protocol with a value of TLSv1.2
      • com.ibm.jsse2.sp800-131 with a value of strict
      • com.ibm.rational.rpe.tls12only with a value of true
  5. Restart the application server.
  6. Run the WebSphere_directory/AppServer/profiles/profile_name/bin>serverStatus -all command, and accept the certification with Y. When you are prompted, log on with your administrator credentials.

What to do next

If you cannot access the Integrated Solutions Console from the browser after changing the SSL protocols to TLS 1.2, the browser might not be configured to support the protocol or does not support the protocol. For information about configuring browsers to support TLS 1.2, see Configuring browsers to support Transport Layer Security (TLS) 1.2.

Feedback