It's all about the answers!

Ask a question

How do I insure TLS 1.2 between JTS and registered applications works ?


Kevin Ramer (4.5k6171190) | asked Dec 03 '15, 1:33 p.m.
edited Dec 14 '15, 10:25 a.m.
Hi,
Working with RTC 5.0.2 ifix006 environment on WebSphere 8.5.5.7.   In attempting to verify that newly installed SSL certificates clear up tcp/ip vulnerability scans, the latest scan revealed HIGH violations calling out TLS vs TLS 1.2.   Easy-peasy says I, I go and change the QoP (quality of protection ) setting in each WebSphere to use TLS 1.2.  

However, not long after, complaints come through that the QM users cannot connect to their application.   Message is "peer not authenticated".   So I revert to TLS in the QoP and life is good.   In the SystemOut.log for a JTS it has logged that client ( which I presume is one of the QM applications ) is wanting to use TLSv1.

This article  1461  describes a setting for the Eclipse client and others ( which does work ).  Would a similar define to the WebSphere JVM allow the configuration and use of TLS 1.2 between JTS and applications ?

Other references:  WI 269702, WI 265622

i.e.
-Dcom.ibm.team.repository.client.protocol=TLSv1.2 in the Additional Arguments of the JVM


Accepted answer


permanent link
Donald Nong (14.4k314) | answered Dec 03 '15, 9:31 p.m.
I recently had this exact exercise and did not have any problems at all. Without seeing your detailed steps, it's a bit difficult to know what went wrong during the process. Have you followed the steps in the below document?
https://www-01.ibm.com/support/knowledgecenter/SSCP65_5.0.2/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_was.html

I did the configuration with and without FIPS and either worked just fine.

Note that if the WAS servers need to connect to other servers, such as LDAP, using an SSL connection, then all the servers involved should support TLSv1.2 (and FIPS for that matter). Otherwise, you need to add a separate SSL configuration in WAS to handle the non-TLSv1.2 connections.

Kevin Ramer selected this answer as the correct answer

Comments
Kevin Ramer commented Dec 04 '15, 8:51 a.m.

Well, went through to step 6 and could verify that WebSphere pushing out TLS 1.2.  We are required to remove certain default ciphers and our QoP reads "custom" but that's not the concern. 

Apparently, with step 16 the addition of the additional properties is required. 

When you configure w/o FIPS can the other FIPS related settings be ignored ?


Kevin Ramer commented Dec 04 '15, 9:10 a.m.

Minimum seems to be:

Configure to TLSv1.2 in WebSphere [ Step 1 -  Step 5 ]
Step 11 -- update ssl.client.props as described
Step 16 -- first and last custom property.

In another response on this subject, you replied that w 5.0.2 client connection to tls configured server works.   Is that enabled by default ? ( my test above is v4.0.7 sandbox we have )  In my 4.0.7 client, I had to add -Dcom.ibm.team.repository.client.protocol=TLSv1.2 to its eclipse.ini.



Donald Nong commented Dec 06 '15, 6:00 p.m. | edited Dec 06 '15, 6:04 p.m.

I must have lost track of what I said in the past. TLS could mean TLSv1, TLSv1.1 or TLSv1.2. TLSv1 can be achieved without extra configuration, while TLSv1.2 needs the JVM parameter. I have never specifically tested TLSv1.1 because it's "in the middle of the road".

Re:FIPS related settings, I think it's not that they "can" be ignored, but rather "have to" be ignored, if you just want TLSv1.2 but no FIPS. I suspect that if any such setting is included, the security level is elevated and then the clients have to be compliant to FIPS as well. Haven't done any extensive testing to confirm it though.

Your answer


Register or to post your answer.