BSSV for RSS using TLS1.2 on WebSphere

Larry Williams

Active Member
Hi all,
Is anyone using BSSV for RSS on WebSphere with TSL 1.2.
We are trying but have a problem as a wireshark capture indicates that the connection is being downgraded to TLS 1.0 which the supplier web site rejects as they require TLS 1.1 or 1.2.
IBM support says the RSS application is not using WebSphere default of SSL_TLS2 but is instead using a java config named as X509 Trust Manager.
We are running WebSphere 9.0.0.2 with uses Java 8 that supports TLS 1.2.
 
Hi Larry,

Any update on this issue. Where you able to resolve this? I am having same issue.

Regards,
Ram
 
Hi Larry,

Any update on this issue. Where you able to resolve this? I am having same issue.

Regards,
Ram

Hi Ram,

Yes, it was resolved. The problem is that WebSphere by default will always use TLS1.0 and JDE does not utilize the available WAS console configurations to implement TLS 1.2.
So, we had to make the following changes:
Add the following to BSSV app server generic JVM arguments at Application servers > <bssv server> > Process definition > Java Virtual Machine:
• -Dcom.ibm.jsse2.overrideDefaultTLS=true -Dhttps.protocols=TLSv1.2

Change SSL configurations at SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings:
• Protocal = SSL_TLSv2
Repeat change for all nodes, CellDefaultSSLSettings and XDADefaultSSLSettings.

Update ssl.client.props at web server <WAS install location>\profiles\AppSrv01\properties:
• Change com.ibm.ssl.protocol=TLSv1.2

Update java.security at web server <WAS install location>\java\8.0\jre\lib\security:
• jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, TLSv1, TLSv1.1

However, be causes, since of the following:
1. This config enforces TSL 1.2 and will now allow any SSL connections with TLS 1.0 or 1.1. So, all commutations with RSS suppliers must be at
TLS 1.2. We have not found a way to limit the implementation to only designated suppliers.
2. Since this was implemented we now have an issue that SMC agents on the machines updated cannot communicate with SM console even though we do not have SMC configured for SSL. Oracle support thinks it still might be an issue and said that SMC agents are hard coded to always use TLS 1.0. So, we are trying to find options to limit the TLS1.2 config to only the BSSV instances.
 
Thank you Larry. We are using WebLogic server. Do you know how to do the same in WLS. Appreciate your help.

Thanks,
Ram
 
Ram,

I'm in the same boat, my vendor tells me I have to go to Java 7, but changing the Java Home had no effect. I have an SR open with Oracle. I'll share if I get a resolution. Please do also.

Tom
 
Ram,

I'm in the same boat, my vendor tells me I have to go to Java 7, but changing the Java Home had no effect. I have an SR open with Oracle. I'll share if I get a resolution. Please do also.

Tom

After upgrading to JDK 7 try adding [FONT=&quot]-Dweblogic.security.SSL.protocolVersion=TLS1.2 to the Java options for the instance to force 1.2. You may also need to add [/FONT][FONT=&quot]-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2.[/FONT]
 
Russell,

Thank you! I did have to add both options in order to get TLS 1.2 to work.

Tom
 
Back
Top