WebSphere Application Server versions to support TLS 1.2
WAS 7.0.0.23 onwards, 8.0.0.3 onwards and 8.5
configuration detail:
https://developer.ibm.com/answers/questions/206952/how-do-i-configure-websphere-application-server-ss.html
已接受的答案
The following steps works from WAS 7.0.0.23 onwards, 8.0.0.3 onwards and 8.5
System Administrator may also look into backup and restore the configuration before TLSV1.2 configuration as it will affect communication with other programs.
backupConfig command for v8 (contains URL link to restoreConfig command)
backupConfig command for v7 (contains URL link to restoreConfig command)
Modify all WebSphere SSL configurations by running the following manual steps from the WebSphere Application Server console:
a. Log in to the WebSphere Application Server Integrated Solutions Console.
b. Click Security > SSL certificate and key management, and under Related Items, click SSL configurations. ( such as CellDefaultSSLsetting , NodedefaultSSLsetting and any other SSLConfig )
Note: For each node it has their own NodeDefaultSSLsetting and above setting will APPLY BOTH inbound and outbound SSL Communication
d.Select each SSL Configuration described above, then click Quality of protection (QoP) settings under Additional Properties.
e.On the Quality of protection (QoP) settings panel, select TLSv1.2 from the pull-down list in the box named Protocol. change the protocol to TLSV1.2
f.Click Apply and Save.
Update ssl.client.props:
The SSL protocol is set with the com.ibm.ssl.protocol property in the ssl.client.props file. Edit the ssl.client.props file and set the com.ibm.ssl.protocol value to TLS.
For example, modify com.ibm.ssl.protocol=TLSv1.2 This must be done for each ssl.client.props file under the following directories:
For Node example WAS_install\profiles\AppSrv01\properties
For DMGR example WAS_install\profiles\Dmgr01\properties
Restart the dmgr using stopmanger command and startmanager command
Stop the node: WAS_install\profiles\AppSrv01\bin\stopNode.bat -username -password
Stop all Application Servers running on this node using stopserver command
Note: If neither of these unable to stop properly due to permission issues, or some other issue you will have to manually kill each of these by logging onto the machines and killing the appropriate deployment manager and nodeagent, Application servers processes.
Synchronize the node using syncnode command
you must run the syncNode.bat or syncNode.sh command from the command line on each federated node, otherwise the nodes will not synchronize in the administrative console. For additional information on the syncNode command,
Windows <was_home>/<profile_home>/bin/syncNode.bat <deploymgr host> <deploymgr soap port>
Unix <was_home>/<profile_home>/bin/syncNode.sh <deploymgr host> <deploymgr soap port>
Note: If you don't know <deploymgr soap port> number you can check from console under system Administration Deployment manager > Ports . Look for SOAP_CONNECTOR_ADDRESS
Start the node agent on each federated node, and then synchronize nodes in the administrative console.
From WAS_install\profiles\AppSrv01\bin\syncNode.bat dmgrhostname dmgrsoapport -username consoleadminuser -password consoleuserpassword
Start the node: From WAS_install\profiles\AppSrv01\bin\startNode.bat
Check the Sync status of node from console.. and then start the application server from console.
TESTING Methods
USING BROWSER
Testing Configuring browsers to support only TLS 1.2 and access the adminconsole or application.
Restriction: The only browsers that currently support TLSv1.2 are Internet Explorer and Mozilla Firefox.
1. To configure Internet Explorer version 8 and later, complete these steps:
a. In Internet Explorer, click Tools > Internet Options.
b. In the Internet Options dialog box, click the Advanced tab.
c. Scroll to the Security section, select the Use TLS 1.2 check box, and click OK.
- To configure Firefox version 24 and later, complete these steps:
a. Open a Firefox browser and enter about:config in the address bar.
b. When prompted, click I'll be careful, I promise! and accept the warning.
c. Search for security.tls.version.max.
d. Double-click security.tls.version.max and change the value to 3 to configure the browser to support TLS1.2.
Tip: Value of 1 supports TLS1.0. Value of 2 supports TLS1.0 and TLS1.1. Value of 3 supports TLS1.0, TLS1.1, and TLS1.2.
USING External Tools such as OPENSSL
You can use openssl s_client connnect to WAS using SSL port like console SSL port or Application server ssl port
openssl s_client -connect webspherehostname:consolesslport -tls1_2
example
openssl s_client -connect webspherehostname:9443 -tls1_2
If it connected to WAS system then it will display the certificate chain in command prompt and the handshake details.. Based on this you will know that WAS system is configured to support TLVs1.2.
Note: The above steps apply for other protocols such TLSV1.1 to SSL_TLSV2
=================================================================================
Frequently asked questions (FAQ) or Questions and Answers (Q&A), are listed as follows
=================================================================================
Question: Is TLS v1.2 supported in WebSphere Full Profile 7.0, 8.0, 8.5? What's minimum fix pack?
Answer: TLsv1.2 Suppport on V7.0.0.23 on wards TLsv1.2 Support on 8.0.0.3 onwards and 8.5.0.0.
Question: Is TLS v1.2 supported in WebSphere Liberty Profile 8.5.5? What's minimum fix pack?
Answer: Liberty can configured with any JDK .. So it is depend what JDK version is configured with Liberty profile. If you are using IBM JDK v1.6 jdk SR11 then it is supported. if you are using below version of this JDK then it is not supported
TLSv1.2 is introduced on JDK 1.6 Sr10 . which mean it starts from WAS7.0.0.23 ( JDK1.6 SR10 FP1)) onwards
see the following link
JSSE enhancements The following enhancements were made in the JSSE in IBM SDK for Java™ V6 service refresh 10:
The IBMJSSE2 provider now supports Transport Layer Security (TLS) 1.1 as described in RFC 4346. The most important update is protection against cipher block chaining (CBC) attacks.
**The IBMJSSE2 provider now supports TLS 1.2 as described in RFC 5246. Among other things, this RFC specifies different internal hashing algorithms, adds new cipher suites, and contains improved flexibility, particularly for negotiation of cryptographic algorithms**.
Service refresh 10
Question: Which cipher suites supports with TLSv1.2 protocol?
Answer: Cipher suites with SHA384 and SHA256 are available only for TLS 1.2 or later more details Please see the following link
Cipher suites
Cipher suites
Question: Do I have to enable FIPS strict mode in order to use TLSv1.2?
Answer: No. You can configure WAS to use TLSv1.2 without FIPS.
Question: WAS is act SSL client, Does Remote SSL server has to use TLSV1.2 as well, in order to work?
Answer: Yes BOTH Client side and Server side MUST use TLSv1.2 for SSL communication.
Question: WAS is act SSL client, What does remote SSL server support only TLSv1.0 or TLSv1.1 and Similar WAS is act SSL Server, What does Remote SSL client does support only TLSv1.0 or TLSv1.1 or TLSv1.2. What to do in order to work such environments?
Answer: There is an alternative option, SSL_TLSv2, which will enable support for TLSv1.0, TLSv1.1, and TLSv1.2 in the environment. Please use this setting SSL_TLSv2 in environments where support for multiple TLS protocols is required, or if you are not sure whether your WAS environment interacts with other servers or clients using non-TLSv1.2 protocols then, you can configure WAS to use SSL_TLSv2 using same steps as given in the above.
Note:
Without poddle fix and configured WAS to use SSL_TLSv2
SSL_TLSv2 ==> Enables all SSL v3.0 and TLS v1.0, v1.1 and v1.2 protocols. Accepts SSLv3 or TLSv1 hello encapsulated in an SSLv2 format hello.
If you installed Poddle fix (will disable SSLv3 ) and configured WAS to use SSL_TLSv2
SSL_TLSv2 ==> Enables these three TLS v1.0, v1.1 and v1.2 protocols.
Question: Why do I receive a GSK_ERROR_SOCKET_CLOSED (gsk rc = 420) error, when WebSphere Application Server and IBM HTTP Server are configured to use TLSv1.2?
Answer: you need to have StrictSecurity="true" in the plugin-cfg.xml for TLSv1.2 to work. More details see the following link
Best Regards
Ram
Please note that IBM HTTP Server (IHS) v7.0, and IBM web server Plug-in v7.0, do NOT support TLSv1.1 or TLSv1.2. So, enabling TLSv1.2 in WAS may cause a failure if you are using v7.0 web server Plug-in.
For TLSv1.2 support in IHS and Plug-in, you need to upgrade to v8.x. Please see the following page:
How do I change my WebSphere SSL configuration to use protocol TLsv1.2 in a standalone Websphere Application server where you have servername called server1. Please see the following youtube link.
The above manual steps for ND environment where you have dmgr, nodeagents and application server.
Best Regards
Ram Arika
Alternately on the IHS side
Here is how to disable all protocols accept TLS1.2 in your IBM http server.
Add the following lines in the VirtualHost stanza for your SSL configuration. (For each VH:SSL port configured).
SSLProtocolEnable TLSv12 SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
Now if I wanted to allow only a specific Cipher within TLS 1.2 (example is below), I would add SSLCIpherSpec directive as a 3rd line. SSLCipherSpec TLSv12 TLS_RSA_WITH_AES_256_CBC_SHA256
To verify what is allowed, one can use the following command in IBM http server
/opt/ibm/HTTPServer/bin/apachectl -DDUMP_SSL_CONFIG
Optionally, a debug level IS errorlog would give you the same information during startup. startup.
NOTE: Any change to the IHS httpd.conf file needs a server restart for it to take effect.