Configuring Engineering Workflow Management clients and build engines to support TLS 1.2 for NIST SP 800-131

To comply with the US government SP 800-131 security standard, you can configure the Engineering Workflow Management Eclipse client and its components to support the Transport Layer Security (TLS) 1.2 protocol.

About this task

To configure Engineering Workflow Management clients and build engines to support the TLS 1.2 protocol, you add the following code to the client or build engine .ini files: -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2. For the Ant build definition, you can add the protocol to the Java VM Arguments section.

Engineering Workflow Management Eclipse client

Procedure

  1. Go to the directory where the Engineering Workflow Management Eclipse client is installed. The default location on Windows is Program Files\IBM\EWMClient and on the UNIX systems is opt/IBM/EWMClient.
  2. Open the eclipse.ini file for editing and add the following protocol:
    -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2
  3. Save and close the eclipse.ini file.

Engineering Workflow Management for Microsoft Visual Studio IDE

Before you begin

The .NET Framework 4.5 must be installed.

Procedure

  1. In the Engineering Workflow Management for Microsoft Visual Studio IDE, click Tools > Options.
  2. In the left pane, click EWM Client.
  3. Select Use TLS 1.2 and click OK.
  4. In the scm.ini file, add the following text -Dcom.ibm.team.repository.transport.client.protocol=SSL_TLSv2. The default file location is install_location\3rd Party\scmtools\eclipse.

Engineering Workflow Management Shell

Before you begin

The .NET Framework 4.5 must be installed.

Procedure

  1. In the Engineering Workflow Management Shell control panel, click Manage Preferences > Other Preferences.
  2. Select Use TLS 1.2 and click OK.
  3. In the scm.ini file, add the following text -Dcom.ibm.team.repository.transport.client.protocol=SSL_TLSv2. The default file location is install_location\3rd Party\scmtools\eclipse.

Engineering Workflow Management Microsoft Source Code Control Interface

Before you begin

The .NET Framework 4.5 must be installed.

Procedure

  1. Exit all applications using the MSSCCI client.
  2. Open the Engineering Workflow Management MSSCCI control panel.
  3. Click Modify MS-SCCI Preferences.
  4. Select Use TLS 1.1 or Use TLS 1.2.
  5. In the scm.ini file, add the following text -Dcom.ibm.team.repository.transport.client.protocol=SSL_TLSv2. The default file location is install_location\3rd Party\scmtools\eclipse.

Jazz Build Engine

Procedure

  1. Go to the directory where the Jazz Build Engine is installed. The default location on a 64-bit Windows is Program Files (x86)\IBM\EWMBuild\buildsystem\buildengine\eclipse and on the UNIX systems is opt/IBM/EWMBuild/buildsystem/buildengine/eclipse.
  2. Open the jbe.ini file for editing and add the following protocol:
    -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2
  3. Save and close the jbe.ini file.

Ant build definition

Procedure

  1. Open the Engineering Workflow Management Eclipse client.
  2. In the Team Artifacts view expand a project, then expand Builds.
  3. Right-click a build and select Open Build Definition.
  4. In the Build Definition view click the Ant tab.
  5. In the Ant Configuration section add the following protocol to the Java VM arguments field:
    -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2

Build Agent

About this task

To configure Build Agent engines to support the TLS 1.2 protocol, two artifacts must be set up to use TLS 1.2.

Procedure

  1. Configure the Build Agent to support the TLS 1.2 protocol. In the bfagent.conf file for the Rational Build Agent on z/OS systems, set the ssl_protocol to TLSv1.2.
  2. In the Engineering Workflow Management build engine editor, when the engine type is set to Build Agent, complete the settings on the Build Agent tab.
    1. Select Connect securely to Build Agent.
    2. Set the Secure protocol to Use TLS 1.2 to match the ssl_protocol setting in the bfagent.conf file for the Rational Build Agent on z/OS systems.

Hudson/Jenkins Engineering Workflow Management plug-in

Before you begin

If the Engineering Workflow Management server is at version 4.0.4 or later and is configured to use TLS v1.2, you must use a version 4.0.4 or later build toolkit when running builds against that Engineering Workflow Management server. Earlier versions of the build toolkit do not recognize this environment variable:
com.ibm.team.repository.transport.client.protocol

You must use a browser that supports and is enabled for TLS v1.2. For more information, see Configuring browsers to support TLS 1.2 for NIST SP 800-131.

Procedure

  1. You can define the following system variable when you start your Hudson/Jerkins server and slaves:
    com.ibm.team.repository.transport.client.protocol=TLSv1.2
    Example of the server by using the default Winston container:
    java -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2 -jar jenkins.war
    Example of the slave node:
    javaws -J-Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2 http://myJenkinsMachine:8080/computer/Slave1/slave-agent.jnlp
  2. If Hudson/Jenkins is used to build in a mixed environment, for example, a Engineering Workflow Management version 4.0.4 or later server that uses TLS 1.2 and other servers that do not, you must set the following variable:
    com.ibm.team.repository.transport.client.protocol=SSL_TLSv2

video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki