It's all about the answers!

Ask a question

Can't login to WAS Admin Console after enabling FIPS


Vince Thyng (13724153) | asked Apr 12 '16, 12:13 p.m.
I followed these instructions in the URL below and can still get to the login page for my WebSphere admin console afterwards (so it isn't my browser not supporting TLS 1.2), however logins always fail.  I managed to get in through wsadmin.sh -conntype NONE and disable FIPS, and then I could login again.  So I was hoping to better understand what the 3 areas I am changing with the instructions actually impact to know if I can live without FIPS enabled.  Looking for info like "this configuration area is how the jazz service talks to other jazz services, provides front end SSL TLS support, etc)

https://jazz.net/help-dev/clm/index.jsp?re=1&topic=/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_rtc.html&scope=null

1) Quality of protection (QoP) settings
2) ssl.client.props
3) Custom JVM properties

Thanks!


Comments
Vince Thyng commented Apr 12 '16, 12:14 p.m.

In case anyone needs it, here are the commands I used to disable FIPS
/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/wsadmin.sh -lang jython -conntype NONE
print AdminTask.getFipsInfo()
AdminTask.enableFips("[-enableFips false]")
AdminConfig.save()
quit

Accepted answer


permanent link
Donald Nong (14.5k614) | answered Apr 12 '16, 10:26 p.m.
If you are using LDAP integration, chances are the LDAP server is not TLSv1.2 enabled, so that WAS cannot connect to the LDAP server as a client. Check SystemOut.log for confirmation. If FIPS is a must, you will either enable TLSv1.2 on the LDAP server, or make a separate SSL configuration (FIPS disabled) just for the LDAP connection within WAS. If you only need TLSv1.2 support on the WAS server (not strictly FIPS), the configuration is a bit more flexible.
Vince Thyng selected this answer as the correct answer

Comments
Vince Thyng commented Apr 13 '16, 12:10 p.m.

Thanks Donald.  This appears to be the source of the problem.  I did a quick check and only TLSv1.1 appears to be supported by the LDAP server.  So perhaps I can use the transition mode of FIPS or just not use it for now.  Thanks again!

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.