How do I insure TLS 1.2 between JTS and registered applications works ?
Working with RTC 5.0.2 ifix006 environment on WebSphere 8.5.5.7. In attempting to verify that newly installed SSL certificates clear up tcp/ip vulnerability scans, the latest scan revealed HIGH violations calling out TLS vs TLS 1.2. Easy-peasy says I, I go and change the QoP (quality of protection ) setting in each WebSphere to use TLS 1.2.
However, not long after, complaints come through that the QM users cannot connect to their application. Message is "peer not authenticated". So I revert to TLS in the QoP and life is good. In the SystemOut.log for a JTS it has logged that client ( which I presume is one of the QM applications ) is wanting to use TLSv1.
This article 1461 describes a setting for the Eclipse client and others ( which does work ). Would a similar define to the WebSphere JVM allow the configuration and use of TLS 1.2 between JTS and applications ?
Other references: WI 269702, WI 265622
i.e.
-Dcom.ibm.team.repository.client.protocol=TLSv1.2 in the Additional Arguments of the JVM
Accepted answer
https://www-01.ibm.com/support/knowledgecenter/SSCP65_5.0.2/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_was.html
I did the configuration with and without FIPS and either worked just fine.
Note that if the WAS servers need to connect to other servers, such as LDAP, using an SSL connection, then all the servers involved should support TLSv1.2 (and FIPS for that matter). Otherwise, you need to add a separate SSL configuration in WAS to handle the non-TLSv1.2 connections.
Comments
Well, went through to step 6 and could verify that WebSphere pushing out TLS 1.2. We are required to remove certain default ciphers and our QoP reads "custom" but that's not the concern.
Apparently, with step 16 the addition of the additional properties is required.
When you configure w/o FIPS can the other FIPS related settings be ignored ?
Minimum seems to be:
Configure to TLSv1.2 in WebSphere [ Step 1 - Step 5 ]
Step 11 -- update ssl.client.props as described
Step 16 -- first and last custom property.
In another response on this subject, you replied that w 5.0.2 client connection to tls configured server works. Is that enabled by default ? ( my test above is v4.0.7 sandbox we have ) In my 4.0.7 client, I had to add -Dcom.ibm.team.repository.client.protocol=TLSv1.2 to its eclipse.ini.
I must have lost track of what I said in the past. TLS could mean TLSv1, TLSv1.1 or TLSv1.2. TLSv1 can be achieved without extra configuration, while TLSv1.2 needs the JVM parameter. I have never specifically tested TLSv1.1 because it's "in the middle of the road".
Re:FIPS related settings, I think it's not that they "can" be ignored, but rather "have to" be ignored, if you just want TLSv1.2 but no FIPS. I suspect that if any such setting is included, the security level is elevated and then the clients have to be compliant to FIPS as well. Haven't done any extensive testing to confirm it though.