IBM Support

Enable TLSv1.2 and approved ciphers for IBM Control Center

Question & Answer


Question

There is a requirement for IBM Control Center to be able to use TLS 1.2 to communicate with the secure ports, and use a specific list of ciphers. How is this done?

Cause

To comply with the terms of a security audit by making provision to use TLSv1.2 to communicate with IBM Control Center.

Answer

Edit your engine.properties file, which is in your 'conf' directory, to set the default protocols and ciphers that you wish to use, using the 'https.cipherSuites', 'com.ibm.jsse2.overrideDefaultProtocol' and 'WEBSERVER_SECURE_PROTOCOL' parameters.

For example:

https.cipherSuites=TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256
com.ibm.jsse2.overrideDefaultProtocol=TLSv12
WEBSERVER_SECURE_PROTOCOL=TLSv1.2

For newer version, the engine.properties is modified from the Web Console now, using the correct HTML tag format.




You must restart the ICC engine for these changes to take effect.

For more information on this subject, see the section of the documentation on Enabling cipher Suites

If you haven't already done so, you may also need to update your IBM Control Center Java environment with the IBM JCE unlimited strength policy files. For more on how to do this, see Installing Java Cryptography Extension unlimited strength jurisdiction policy files.


There is a property called 'jdk.certpath.disabledAlgorithms' in your <ControlCenter>\jre\lib\security\java.security file which can be used to disable specific algorithms if you wish to prevent their use entirely. By default this is set to 'jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024'. To block other algorithms these need to be added this list.To disable specific cipher suites during TLS handshaking, use the jdk.tls.disabledAlgorithms property. Note that this is part of java security, rather than Control Center per se. Refer to Disabling Cryptographic Algorithms, for documentation, but there is additional explanatory text within the file itself which would also be of interest. Remember to restart IBM Control Center to adopt any changes you make.

[{"Product":{"code":"SS9GLA","label":"IBM Control Center"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.0;6.0.0.1;6.1;6.1.0.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
17 December 2019

UID

swg21993828

Page Feedback