Configuring WebSphere Application Server to support TLS 1.2 for NIST SP 800-131

Edit online

To comply with the US government SP 800-131 security standard, you can configure the WebSphere Application Server that hosts IBM® Engineering Lifecycle Management applications to support the Transport Layer Security (TLS) 1.2 protocol.

Procedure

  1. Log in to the WebSphere Application Server Integrated Solutions Console.
  2. Click Security > SSL certificate and key management, and under Related Items, click SSL configurations.
  3. Click the default SSL settings link to open it and, under Additional Properties, click Quality of protection (QoP) settings.
  4. For the protocol, ensure that TLSv1.2 is selected, for the Cipher suite groups, ensure that Strong is selected, and then click Update selected ciphers.
  5. Click OK and save directly to the master configuration.
  6. Click the SSL certificate and key management link and then click Manage FIPS.
  7. In the Manage FIPS window, click Enable SP800-131 and then select Strict.
  8. Click OK. If you see the following non-compliant certificate error, complete these steps:
    ""
    1. Under Related Items, click Convert certificates.
    2. Ensure that the Algorithm setting is Strict.
    3. For the New certificate key size, select 2048 bits.
    4. Click OK and save directly to the master configuration.
  9. Go to WAS_Profile_Dir/properties and open the ssl.client.props file for editing.
  10. Search for com.ibm.security.useFIPS and change the property to true.
  11. Search for com.ibm.websphere.security.FIPSLevel and if the line does not exist add it, and then set the property to SP800-131.
  12. Search for com.ibm.ssl.protocol and change the property to TLSv1.2.
  13. Click Server > Server Types > WebSphere application servers and then click server1 to open it.
  14. Under Server Infrastructure, click Java and Process Management > Process definition.
  15. Under Additional Properties, click Java Virtual Machine and then click Custom properties.
  16. Add the following custom properties:
    • com.ibm.team.repository.transport.client.protocol with a value of TLSv1.2
    • com.ibm.jsse2.sp800-131 with a value of strict
    • com.ibm.rational.rpe.tls12only with a value of true
    • com.ibm.jsse2.overrideDefaultTLS with a value of true
    Note: You need to add the jsse2.overrideDefaultTLS property if you are using Java version 8.0.7.0 or later.
  17. Restart the application server.

What to do next

If you cannot access the Integrated Solutions Console from the browser after changing the SSL protocols to TLS 1.2, the browser might not be configured to support the protocol or does not support the protocol. For information about configuring browsers to support TLS 1.2, see Configuring browsers to support Transport Layer Security (TLS) 1.2.