Enabling TSL v1.2 on the virtual MDM Workbench
To enable TSL v1.2 on the virtual MDM Workbench by taking the following steps:
Procedure
- Export the server certificate and install it into the JVM
used by the virtual MDM Workbench. Use ikeyman to
obtain the certificate from the server by taking the following steps:
- On the machine where the server is installed, open ikeyman.exe in the WebSphere® Application Server jre/bin directory to obtain the certificate from the server.
- Click the Open a key database file icon, then, in the window that opens, click Browse and locate DummyClientTrustFile.jks in your WebSphere Application Server profile. The default location might be similar to <WebSphere_install_dir>/profiles/<profile_name>etc/DummyClientTrustFile.jks. Click OK when you find the file.
- When prompted for a password, use WebAS in a normal installation.
- Select Signer Certificates from the list, select default_signer, and click Extract. Note the location and name of the certificate as it is required later.
- Click OK to save the file.
- Update the Default Trust Store by taking the following
steps:
- Copy the exported server certificate to the machine where Workbench is installed and open ikeyman.exe in the Workbench jre/bin directory.
- Click the Open a key database file icon and browse to the JRE cacerts in the JRE's /lib/security directory.
- When prompted for a password, enter changeit.
- Click Add and browse to the file that contains the server certificate you exported. You might need to set the file types field to All files.
- Click OK when the correct file is selected in the Open window.
- Enter a label for the certificate.
- Modify the ssl.client.props file to
enable TLS v1.2. In a default installation, the config.ini file
in <RAD/RSA_install_dir>/configuration defines
the com.ibm.SSL.ConfigURL property to point to <RAD/RSA_install_dir>/runtimes/base_stub/properties/ssl.client.props.
You can modify this file by taking the following steps:
- Modify com.ibm.security.useFIPS to be set to true.
- Add com.ibm.websphere.security.FIPSLevel=SP800-131 just after the useFips property.
- Change the com.ibm.ssl.protocol property to TLSv1.2.
- Optional: You can also point to a different ssl.client.props file by specifying -Dcom.ibm.SSL.ConfigURL=<path_to_your_own_ssl.client.props> on the command line that launches the MDM Workbench in IBM® Rational® Application Developer.
- Add the com.ibm.ws.security.crypto.jar file
to the JRE lib/etc directory by taking the following
steps:
- Copy com.ibm.ws.security.crypto.jar from <RAD/RSA_install_dir>/runtimes/base_v85_stub/runtimes to the <RAD/RSA_install_dir>/jdk/jre/lib/ext directory.
- Restart IBM Rational Application Developer. The MDM Workbench communicates to the virtual MDM operational
server over a JMX connection when a configuration is deployed or when
running a job set. Other actions use the virtual MDM operational server
API such as:
- importing a configuration from the Master Data Management menu
- performing Connect and Disconnect actions in the Source Sequence Identifiers view
- comparing a configuration from the Configuration Comparison view
Last updated: 27 Jun 2018