To comply with the US government SP 800-131 security standard, you can configure the
WebSphere Application
Server
that hosts IBM®
Engineering Lifecycle Management
applications to support the Transport Layer Security (TLS) 1.2 protocol.
Procedure
- Log in to the WebSphere Application
Server
Integrated Solutions Console.
- Click , and under Related Items, click
SSL configurations.
- Click the default SSL settings link to open it and, under Additional
Properties, click Quality of protection (QoP)
settings.
- For the protocol, ensure that TLSv1.2 is selected, for the Cipher
suite groups, ensure that Strong is selected, and then click
Update selected ciphers.
- Click OK and save directly to the master
configuration.
- Click the SSL certificate and key management link and then click
Manage FIPS.
- In the Manage FIPS window, click Enable
SP800-131 and then select Strict.
- Click OK. If you see the following non-compliant certificate
error, complete these steps:
- Under Related Items, click Convert
certificates.
- Ensure that the Algorithm setting is
Strict.
- For the New certificate key size, select 2048
bits.
- Click OK and save directly to the master
configuration.
- Go to WAS_Profile_Dir/properties and open the
ssl.client.props file for editing.
- Search for
com.ibm.security.useFIPS
and change the property to
true
.
- Search for
com.ibm.websphere.security.FIPSLevel
and if the line does not
exist add it, and then set the property to SP800-131
.
- Search for
com.ibm.ssl.protocol
and change the property to
TLSv1.2
.
- Click and then click server1 to open it.
- Under Server Infrastructure, click .
- Under Additional Properties, click Java Virtual
Machine and then click Custom properties.
- Add the following custom properties:
com.ibm.team.repository.transport.client.protocol
with a value of
TLSv1.2
com.ibm.jsse2.sp800-131
with a value of strict
com.ibm.rational.rpe.tls12only
with a value of
true
com.ibm.jsse2.overrideDefaultTLS
with a value of
true
Note: You need to add the jsse2.overrideDefaultTLS
property if you are using Java
version 8.0.7.0 or later.
- Restart the application server.
What to do next
If you cannot access the Integrated Solutions Console from the browser after changing the
SSL protocols to TLS 1.2, the browser might not be configured to support the protocol or does not
support the protocol. For information about configuring browsers to support TLS 1.2, see Configuring browsers to support Transport Layer Security (TLS)
1.2.