IBM Support

How do I configure my Engineering Lifecycle Management server with TLSv1.2?

Question & Answer


Question

There are 3 possible avenues to investigate.  To determine which solution is correct for your environment, you need to ask yourself the following questions:

1. Am I looking to enable TLSv1.2 in addition to TLSv1.0 and TLSv1.1?
  • In this case, follow the steps outlined within this document.
2. Am I looking to enable only TLSv1.2 and turning off TLSv1.0 and TLSv1.1 (Non-Strict Mode)?
  • In this case, follow the steps outlined within this document
3. Am I looking to enable only TLSv1.2 strict mode (NIST SP 800-131)?
  • In this case, follow the steps outlined in this IBM Documentation document.  This document covers all currently supported versions.

Note: When the Engineering Lifecycle Management servers are configured for TLSv1.2 only mode (either strict or nonstrict), all connections to the servers need to also be configured for TLSv1.2 only.  All user browsers and clients are affected.  Generally with this configuration, the entire corporate environment must support the change.

Cause

You are asked to secure your Collaborative Lifecycle Management or Engineering Lifecycle Management server by enabling TLSv1.2.

Answer

How to enable TLSv1.2 in addition to existing protocols:

WebSphere® Application Server:

1. Log in to the WebSphere® Application Server Integrated Solutions Console.
2. Click Security > SSL certificate and key management, and under Related Items, click SSL configurations.
3. Click the default SSL settings link to open it and under Additional Properties, click Quality of protection (QoP) settings.
4. For the protocol, ensure that SSL_TLSv2 is selected, for the cipher suite groups, ensure that Strong is selected, and then click Update selected ciphers.
5. Click OK and save directly to the master configuration.
6. Restart the application server

WebSphere® Liberty Profile:

TLSv1.0, TLSv1.1, and TLSv1.2 are enabled by default with this configuration.

How to change an existing environment to use only TLSv1.2 (Non-Strict mode):

WebSphere® Application Server:

1. Log in to the WebSphere® Application Server Integrated Solutions Console.
2. Click Security > SSL certificate and key management, and under Related Items, click SSL configurations.
3. Click the default SSL settings link to open it and under Additional Properties, click Quality of protection (QoP) settings.
4. For the protocol, ensure that TLSv1.2 is selected, for the cipher suite groups, ensure that Strong is selected, and then click Update selected ciphers.
5. Click OK and save directly to the master configuration.
6. Go to <WAS_Profile_Dir>/properties and open the ssl.client.props file for editing.
7. Search for com.ibm.ssl.protocol and change the property to TLSv1.2.
8. Click Server > Server Types > WebSphere application servers and then click server1 to open it.
9. Under Server Infrastructure, click Java and Process Management > Process definition.
10. Under Additional Properties, click Java Virtual Machine and then click Custom properties.
  • Add the following custom properties:
  • com.ibm.team.repository.transport.client.protocol with a value of TLSv1.2
  • com.ibm.rational.rpe.tls12only with a value of true
  • jazz.connector.sslEnabledProtocols with a value of TLSv1.2
11. Restart the application server.

WebSphere® Liberty Profile:

Go to <JazzInstallDir>/server and open the server.startup (server.startup.bat on Windows) file for editing.

1. In the file, find the line and delete it.
Unix
JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2" 
Windows
set JAVA_OPTS=%JAVA_OPTS% -Djazz.connector.sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
2. Add the following lines: 
Unix
JAVA_OPTS="$JAVA_OPTS -Djazz.connector.sslEnabledProtocols=TLSv1.2"
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2"
JAVA_OPTS="$JAVA_OPTS -Dcom.ibm.rational.rpe.tls12only=true"
Windows
set JAVA_OPTS=%JAVA_OPTS% -Djazz.connector.sslEnabledProtocols=TLSv1.2
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2
set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.rational.rpe.tls12only=true
3. Save and close the file.
4. Go to <JazzInstallDir>/server/liberty/servers/clm and open the server.xml file for editing.

Note: The server must be started at least one time for the clm directory to be generated.

5. In the <ssl id="defaultSSLConfig" section, change the attribute sslProtocol to sslProtocol="TLSv1.2".
6. Save and close the file.
7. Restart the ELM servers for changes to take effect.
Updating repotools and other command-line utilities:
Documentation for updating related applications and tools can be found in the IBM Documentation.
If you are configuring your environment in nonstrict mode, you can safely omit the following argument:
-Dcom.ibm.jsse2.sp800-131=strict
If you are using any of the Engineering Test Management command-line utilities or adapters, you need to add the following to the JVM command line:
-Dcom.ibm.team.repository.transport.client.protocol="TLSv1.2"
UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"ARM Category":[{"code":"a8m50000000L2CkAAK","label":"ELM-\u003ESecurity"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.2"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUC3U","label":"IBM Engineering Workflow Management"},"ARM Category":[{"code":"a8m50000000CjdlAAC","label":"ELM Workflow Management-\u003ESecurity"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.2"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVLZ","label":"IBM Engineering Requirements Management DOORS Next"},"ARM Category":[{"code":"a8m0z000000CbPxAAK","label":"Jazz Team Server-\u003ESecurity Vulnerabilities"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.2"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVV6","label":"IBM Engineering Test Management"},"ARM Category":[{"code":"a8m50000000CjKFAA0","label":"ELM Test Management-\u003EApplication Servers *File under JTS*-\u003EWebsphere-\u003ESecurity"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.2"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYMRC","label":"Rational Collaborative Lifecycle Management"},"ARM Category":[{"code":"a8m50000000L2CkAAK","label":"ELM-\u003ESecurity"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.2;6.0.3;6.0.4;6.0.5;6.0.6"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCP65","label":"Rational Team Concert"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSR27Q","label":"Rational Quality Manager"},"ARM Category":[{"code":"a8m50000000L2CkAAK","label":"ELM-\u003ESecurity"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJJ9R","label":"Rational DOORS Next Generation"},"ARM Category":[{"code":"a8m50000000L2CkAAK","label":"ELM-\u003ESecurity"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0;and future releases"}]

Product Synonym

Rational DOORS Next Generation;Rational Team Concert;Rational Quality Manager;EWM;ELM;ETM;EQM

Document Information

Modified date:
06 March 2024

UID

ibm16213316

Page Feedback