Configuring the WebSphere Application Server to support TLS 1.2

To comply with the US government SP 800-131 security standard, you can configure the WebSphere® Application Server that hosts the HP adapter application to support the Transport Layer Security (TLS) 1.2 protocol.

About this task

You use the administrative console to change the SSL protocols to TLS 1.2.

Procedure

  1. Log in to the WebSphere Application Server Integrated Solutions Console.
  2. Click Security > SSL certificate and key management, and under Related Items, click SSL configurations.
  3. Click the default SSL settings link to open it and, under Additional Properties, click Quality of protection (QoP) settings.
  4. For the protocol, ensure that TLSv1.2 is selected, for the Cipher suite groups, ensure that Strong is selected, and then click Update selected ciphers.
  5. Click OK and save directly to the master configuration.
  6. Click the SSL certificate and key management link and then click Manage FIPS.
  7. In the Manage FIPS window, click Enable SP800-131 and then select Strict.
  8. Click OK. If you see the non-compliant certificate error Could not enable FIPS Level=SP 800-131 - Strict Non-compliant certificate(s) is found, complete these steps:
    1. Under Related Items, click Convert certificates.
    2. Ensure that the Algorithm setting is Strict.
    3. For the New certificate key size, select 2048 bits.
    4. Click OK and save directly to the master configuration.
  9. Go to WAS_Profile_Dir/properties and open the ssl.client.props file for editing.
  10. Search for com.ibm.security.useFIPS and change the property to true.
  11. Search for com.ibm.websphere.security.FIPSLevel and if the line does not exist then add it, and set the property to SP800-131.
  12. Search for com.ibm.ssl.protocol and change the property to TLSv1.2.
  13. Click Server > Server Types > WebSphere application servers and then click server1 to open it.
  14. Under Server Infrastructure, click Java and Process Management > Process definition.
  15. Under Additional Properties, click Java Virtual Machine and then click Custom properties.
  16. Add the following custom properties:
    • com.ibm.oslc.qm.adapter.hpqc.transport.client.protocol with a value of TLSv1.2
    • com.ibm.jsse2.sp800-131 with a value of strict
  17. Restart the application server.

Results

You changed the SSL protocols to TLS 1.2.

What to do next

If you cannot access the adapter from the browser after you change the SSL protocols to TLS 1.2, the browser might not be configured to support the protocol or does not support the protocol. For information about configuring browsers to support TLS 1.2, see Configuring browsers to support TLS 1.2.

Feedback