News
Abstract
Starting in versions 9.0.5.6 and 8.5.5.20, WebSphere Application Server provides an option to select the TLSv1.3 protocol when running on IBM Java version 8.0.6.26 (and later)
Content
- The administrative console of WebSphere 9.0.5.6 and 8.5.5.20 and later shows TLSv1.3 when running on IBM Java version 8.0.6.26 and later.
- WebSphere fallback on TLSv1.2 when "TLSv1.3,TLSv1.2" is configured and TLSv1.3 is not supported by the peer.
- If WebServer plug-in is a gateway to the application server, TLSv1.3 must be explicitly enabled: https://www.ibm.com/support/pages/apar/PH17128
- In a mixed cell configuration, careful consideration is required before enabling TLSv1.3 to ensure communications.
- To change DMGR and all NODES to use TLSv1.3, first make changes with only the DMGR running, then restart the DMGR process, and sync each node from the command line. Then bring the DMGR and NODES up. For detailed steps, refer to the technote "How can I configure WebSphere Application Server SSL protocol to use TLSv1.2 ONLY?"
- FIPS 140-2 does not support TLS v1.3. TLS v1.3 will be available with FIPS when FIPS 140-3 certified Java Security provider becomes available for WebSphere to use.
- For WebSphere on zOS, IBMJCEPlus provider was added by PH44197.
| APAR number | APAR abstract | Note | Fixpack versions |
|---|---|---|---|
| PH29840 |
Create the ability to select TLSV1.3 protocol
|
TLSv1.3 protocol could not be combined with other protocols | 9.0.5.6, 8.5.5.20 |
| PH36842 |
Support for a customized list of SSL protocols |
Multiple protocols can be configured.
If TLSv1.3 is unavailable, WebSphere can fallback on TLSv1.2 for server configuration
|
9.0.5.11, 8.5.5.21 |
| PH45688 | Changing the WebSphere default protocol to TLSv1.3,TLSv1.2 | WebSphere's default configuration was changed from SSL_TLSv2 to TLSv1.3,TLSv1.2. Applies to newly created profile only. | 9.0.5.13, 8.5.5.22 |
| PH46566 | TLSV1.3 FALLBACK FOR THIN CLIENT | If TLSv1.3 is unavailable, WebSphere can fallback on TLSv1.2 for thin-client configuration | 9.0.5.13, 8.5.5.22 |
| PH44197 | java.security for WebSphere 855 on zOS requires IBMJCEPlus provider configured | Custom java.security file may need IBMJCEPlus provider manually added in order to make TLSv1.3 available. | 8.5.5.22 |
- IBM JDK 8.0.6.x release notes have recent updates on TLS protocols that users might be interested in.
- These steps are applicable only to operating systems which support the IBMJCEPlus provider, that is AIX, Windows, Linux, IBM i, and z/OS. Reference: https://www.ibm.com/docs/en/sdk-java-technology/8?topic=guide-ibmjceplus-ibmjceplusfips-providers
- The IBM i operating system does not have the IBMJCEPlus provider enabled by default. Enable it by following the instructions in this document: https://www.ibm.com/support/pages/node/6487471
Related Information
How can I configure WebSphere Application Server SSL protocol to use TLSv1.2 ON…
PH29840: CREATE THE ABILITY TO SELECT ADDITIONAL PROTOCOL.
IBM SDK Java Technology Edition Version 8.0 for WebSphere Application Server us…
IBM JDK 8.0.6.25 release notes (Scroll all the way down)
PH17128: Add TLS 1.3 support for IBM HTTP Server and the WAS WebServer plug-in
Was this topic helpful?
Document Information
Modified date:
15 November 2022
UID
ibm16421519