IBM Support

Configure TLSv1.2 in IBM HTTP Server and IBM WebSphere Application Server for CCRC WAN Server and ClearQuest Web Server

Question & Answer


Question

How do you configure IHS, webserver plugin and WAS to enforce the use of TLSv1.2 (SP800-131 security standard) ?

Answer

Prerequisites :

  1. IBM HTTP Server - 8.0.0.6 or later.
  2. IBM WebSphere Application Server - 8.0.0.6 or later.
  3. Web Server Plug-ins for IBM WebSphere Application Server - 8.0.0.6 or later.
  4. WebSphere Customization Toolbox - 8.0.0.6 or later.

Configuring IHS for SSL:

Follow instructions in the following document :


http://www.ibm.com/support/docview.wss?uid=swg21179559

Configuring the CCRC WAN Server and ClearQuest Web Server profiles to enforce the use of TLSv1.2:

Follow instructions in the following document: http://pic.dhe.ibm.com/infocenter/wasinfo/v8r5/index.jsp?topic=%2Fcom.ibm.websphere.nd.doc%2Fae%2Ftsec_config_strictsp300.html




Configuring the web server plugin :

For each profile :
  1. Use a browser to connect to the WebSphere Administration Console for this profile.
  2. In the console, navigate to Servers > Server Types > Web servers.
  3. Select the web server e.g. webserver1.
  4. Select Plug-in properties.
  5. Select Copy to Web server key store directory to configure the related plugin-key.kdb file with the correct personal and signer certificates.
  6. Open the plugin-key.kdb file (you can find its location in plugin-cfg.xml file, look for the value of "keyring" property) using utility such as IKeyMan. Pathname for plugin-cfg.xml can be found in IHS_HOME_DIRECTORY/conf/http.conf.
  7. Navigate to personal certificates, and select default certificate.
  8. Open the certificate for view/edit.
  9. At the bottom of the certificate, select the option Set the certificate as the default.
  10. Save plugin-key.kdb in its original location.
  11. Set StrictSecurity=true in the plugin-cfg.xml file. The path (e.g. WAS_HOME_DIRECTORY/Plugins/config/webserver1) is listed in httpd.conf. (NOTE: see http://www.ibm.com/support/docview.wss?rs=180&uid=swg1PM74603 for a PMR resolution.)
  12. The SSL signer certificate in the plug-in's keystore must match that from the WebSphere Application Server node for TLSv1.2 to function correctly.


Troubleshooting:

Problem :"GSK_ERROR_BAD_CERT" logged in the plugin log i.e. http-plugin.log (located in WAS_HOME_DIRECTORY

[{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"CCRC WAN Server","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.0.0.8;8.0.1.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Server (7.1)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.0.1.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 June 2018

UID

swg21648276

Page Feedback