Can't login to WAS Admin Console after enabling FIPS
I followed these instructions in the URL below and can still get to the login page for my WebSphere admin console afterwards (so it isn't my browser not supporting TLS 1.2), however logins always fail. I managed to get in through wsadmin.sh -conntype NONE and disable FIPS, and then I could login again. So I was hoping to better understand what the 3 areas I am changing with the instructions actually impact to know if I can live without FIPS enabled. Looking for info like "this configuration area is how the jazz service talks to other jazz services, provides front end SSL TLS support, etc)
https://jazz.net/help-dev/clm/index.jsp?re=1&topic=/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_rtc.html&scope=null
1) Quality of protection (QoP) settings
2) ssl.client.props
3) Custom JVM properties
Thanks!
https://jazz.net/help-dev/clm/index.jsp?re=1&topic=/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_rtc.html&scope=null
1) Quality of protection (QoP) settings
2) ssl.client.props
3) Custom JVM properties
Thanks!
Accepted answer
If you are using LDAP integration, chances are the LDAP server is not TLSv1.2 enabled, so that WAS cannot connect to the LDAP server as a client. Check SystemOut.log for confirmation. If FIPS is a must, you will either enable TLSv1.2 on the LDAP server, or make a separate SSL configuration (FIPS disabled) just for the LDAP connection within WAS. If you only need TLSv1.2 support on the WAS server (not strictly FIPS), the configuration is a bit more flexible.
Comments
Vince Thyng
Apr 12 '16, 12:14 p.m.In case anyone needs it, here are the commands I used to disable FIPS
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/wsadmin.sh -lang jython -conntype NONE
print AdminTask.getFipsInfo()
AdminTask.enableFips("[-enableFips false]")
AdminConfig.save()
quit