BSSV for RSS using TLS1.2 on WebSphere
Hi all,
Is anyone using BSSV for RSS on WebSphere with TSL 1.2.
We are trying but have a problem as a wireshark capture indicates that the connection is being downgraded to TLS 1.0 which the supplier web site rejects as they require TLS 1.1 or 1.2.
IBM support says the RSS application is not using WebSphere default of SSL_TLS2 but is instead using a java config named as X509 Trust Manager.
We are running WebSphere 9.0.0.2 with uses Java 8 that supports TLS 1.2.
BSSV for RSS using TLS1.2 on WebSphere
Quote:
Originally Posted by
ramkitkv
Hi Larry,
Any update on this issue. Where you able to resolve this? I am having same issue.
Regards,
Ram
Hi Ram,
Yes, it was resolved. The problem is that WebSphere by default will always use TLS1.0 and JDE does not utilize the available WAS console configurations to implement TLS 1.2.
So, we had to make the following changes:
Add the following to BSSV app server generic JVM arguments at Application servers > <bssv server> > Process definition > Java Virtual Machine:
• -Dcom.ibm.jsse2.overrideDefaultTLS=true -Dhttps.protocols=TLSv1.2
Change SSL configurations at SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings:
• Protocal = SSL_TLSv2
Repeat change for all nodes, CellDefaultSSLSettings and XDADefaultSSLSettings.
Update ssl.client.props at web server <WAS install location>\profiles\AppSrv01\properties:
• Change com.ibm.ssl.protocol=TLSv1.2
Update java.security at web server <WAS install location>\java\8.0\jre\lib\security:
• jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, TLSv1, TLSv1.1
However, be causes, since of the following:
1. This config enforces TSL 1.2 and will now allow any SSL connections with TLS 1.0 or 1.1. So, all commutations with RSS suppliers must be at
TLS 1.2. We have not found a way to limit the implementation to only designated suppliers.
2. Since this was implemented we now have an issue that SMC agents on the machines updated cannot communicate with SM console even though we do not have SMC configured for SSL. Oracle support thinks it still might be an issue and said that SMC agents are hard coded to always use TLS 1.0. So, we are trying to find options to limit the TLS1.2 config to only the BSSV instances.
BSSV for RSS using TLS1.2 on WebSphere
Quote:
Originally Posted by
ramkitkv
Thank you Larry. We are using WebLogic server. Do you know how to do the same in WLS. Appreciate your help.
Thanks,
Ram
Sorry Ram, I am not familiar with WebLogic.