Results 1 to 9 of 9

Thread: BSSV for RSS using TLS1.2 on WebSphere

  1. #1
    New Member
    Join Date
    Sep 2006
    Location
    Seattle, WA USA
    Posts
    46

    BSSV for RSS using TLS1.2 on WebSphere

    Hi all,
    Is anyone using BSSV for RSS on WebSphere with TSL 1.2.
    We are trying but have a problem as a wireshark capture indicates that the connection is being downgraded to TLS 1.0 which the supplier web site rejects as they require TLS 1.1 or 1.2.
    IBM support says the RSS application is not using WebSphere default of SSL_TLS2 but is instead using a java config named as X509 Trust Manager.
    We are running WebSphere 9.0.0.2 with uses Java 8 that supports TLS 1.2.
    E1 9.1 tools 9.2.2.5 IBMi v7r2
    Websphere 9.0.0.2

  2. #2
    New Member
    Join Date
    Jul 2004
    Posts
    18
    Hi Larry,

    Any update on this issue. Where you able to resolve this? I am having same issue.

    Regards,
    Ram

  3. #3
    New Member
    Join Date
    Sep 2006
    Location
    Seattle, WA USA
    Posts
    46

    BSSV for RSS using TLS1.2 on WebSphere

    Quote Originally Posted by ramkitkv View Post
    Hi Larry,

    Any update on this issue. Where you able to resolve this? I am having same issue.

    Regards,
    Ram
    Hi Ram,

    Yes, it was resolved. The problem is that WebSphere by default will always use TLS1.0 and JDE does not utilize the available WAS console configurations to implement TLS 1.2.
    So, we had to make the following changes:
    Add the following to BSSV app server generic JVM arguments at Application servers > <bssv server> > Process definition > Java Virtual Machine:
    • -Dcom.ibm.jsse2.overrideDefaultTLS=true -Dhttps.protocols=TLSv1.2

    Change SSL configurations at SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings:
    • Protocal = SSL_TLSv2
    Repeat change for all nodes, CellDefaultSSLSettings and XDADefaultSSLSettings.

    Update ssl.client.props at web server <WAS install location>\profiles\AppSrv01\properties:
    • Change com.ibm.ssl.protocol=TLSv1.2

    Update java.security at web server <WAS install location>\java\8.0\jre\lib\security:
    • jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, TLSv1, TLSv1.1

    However, be causes, since of the following:
    1. This config enforces TSL 1.2 and will now allow any SSL connections with TLS 1.0 or 1.1. So, all commutations with RSS suppliers must be at
    TLS 1.2. We have not found a way to limit the implementation to only designated suppliers.
    2. Since this was implemented we now have an issue that SMC agents on the machines updated cannot communicate with SM console even though we do not have SMC configured for SSL. Oracle support thinks it still might be an issue and said that SMC agents are hard coded to always use TLS 1.0. So, we are trying to find options to limit the TLS1.2 config to only the BSSV instances.
    E1 9.1 tools 9.2.2.5 IBMi v7r2
    Websphere 9.0.0.2

  4. #4
    New Member
    Join Date
    Jul 2004
    Posts
    18
    Thank you Larry. We are using WebLogic server. Do you know how to do the same in WLS. Appreciate your help.

    Thanks,
    Ram

  5. #5
    Member Tom_Davidson's Avatar
    Join Date
    Nov 2000
    Location
    Wisconsin, USA
    Posts
    757
    Ram,

    I'm in the same boat, my vendor tells me I have to go to Java 7, but changing the Java Home had no effect. I have an SR open with Oracle. I'll share if I get a resolution. Please do also.

    Tom
    Cleindori Consulting
    8.12/8.98.4.14, 9.1/9.1.5.3, 9.2/9.2.0.5/6
    IBM i, WebLogic on Windows, DBCS, Global installations.

  6. #6
    New Member
    Join Date
    Sep 2006
    Location
    Seattle, WA USA
    Posts
    46

    BSSV for RSS using TLS1.2 on WebSphere

    Quote Originally Posted by ramkitkv View Post
    Thank you Larry. We are using WebLogic server. Do you know how to do the same in WLS. Appreciate your help.

    Thanks,
    Ram
    Sorry Ram, I am not familiar with WebLogic.
    E1 9.1 tools 9.2.2.5 IBMi v7r2
    Websphere 9.0.0.2

  7. #7
    Quote Originally Posted by Tom_Davidson View Post
    Ram,

    I'm in the same boat, my vendor tells me I have to go to Java 7, but changing the Java Home had no effect. I have an SR open with Oracle. I'll share if I get a resolution. Please do also.

    Tom
    After upgrading to JDK 7 try adding -Dweblogic.security.SSL.protocolVersion=TLS1.2 to the Java options for the instance to force 1.2. You may also need to add -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2.
    Russell Codlin
    www.rinami.com
    Capital Asset Management & Manufacturing Specialists
    REST Integration, IoT, Mobile Applications and Job Scheduling for all E1 releases from 9.2 back to 8.11SP1

  8. #8
    Member Tom_Davidson's Avatar
    Join Date
    Nov 2000
    Location
    Wisconsin, USA
    Posts
    757
    Ram,

    I am trying to get WLS 10.3.5 to run on Java 7, you can follow this thread to see if I get any answers: https://www.jdelist.com/vb4/showthread.php?t=54755

    Tom
    Cleindori Consulting
    8.12/8.98.4.14, 9.1/9.1.5.3, 9.2/9.2.0.5/6
    IBM i, WebLogic on Windows, DBCS, Global installations.

  9. #9
    Member Tom_Davidson's Avatar
    Join Date
    Nov 2000
    Location
    Wisconsin, USA
    Posts
    757
    Russell,

    Thank you! I did have to add both options in order to get TLS 1.2 to work.

    Tom
    Cleindori Consulting
    8.12/8.98.4.14, 9.1/9.1.5.3, 9.2/9.2.0.5/6
    IBM i, WebLogic on Windows, DBCS, Global installations.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
The legal restrictions and terms of use applicable to this site are available here.
Use of this site signifies your agreement to the terms of use.
JDELIST is NOT affiliated with JD Edwards® & Company, Oracle or Peoplesoft. Contents of this site are neither endorsed nor approved by JD Edwards® & Company and, or Oracle.