IBM Support

Enabling TLS 1.1 / TLS 1.2 support in Information Server - DataStage Clients

Troubleshooting


Problem

By default, Information Server 11.3 uses the SSL v3.0 protocol for secure communications, but this can be re-configured on the Services Tier to use newer TLS (Transport Layer Security) protocols. This article describes the additional requirements and configurations necessary to enable TLS 1.1 or TLS 1.2 protocol with the DataStage Clients (Designer/Director/Administrator). There is wider support for TLS 1.0 in the underlying client operating systems, and some requirements equally apply to this version of the protocol.

Symptom

With certificates configured to use TLS protocols on the server (WebSphere), DataStage Designer (or Director or Administrator) fails to connect with either of the following errors:


Failed to authenticate the current user against the selected Services Tier
Unable to send HTTP request to Server [servername] on port [9443]. The WinInet ErrorCode is: [0]

or


Failed to authenticate the current user against the selected Services Tier
Could not connect to server [servername] on port [9443] is not reachable. Ensure that the server [servername] can be resolved and that communication port [9443] between this machine and the server is not blocked.

or

Clients are connecting, but the error message "The client session to the Services Tier is lost. Attempting to re-establish session" is repeatedly thrown, but its not possible to do any work because error happens continuously after acknowledging the message box.

Resolving The Problem

TLS (version 1.0)

TLS was first released in 1999 and is generally supported in all flavors of the Windows operating system from Windows XP and Windows Server 2003, and later.

The only extra requirement to use this version of the protocol is to enable "Use TLS 1.0" in the Internet Options on the client machine. In Internet Explorer, go to Tools menu -> Internet Options -> Advanced. Scroll to the bottom to the Security section. You will see the list SSL protocols supported by Internet Explorer. The option "Use TLS 1.0" must be enabled.

The above requirement is also true, if you use other Web Browsers, such as Firefox or Chrome, as these settings control functionality in internal libraries (WinINet) which DataStage relies upon.

No further action is needed to support TLS 1.0

TLS 1.1 / TLS 1.2

TLS 1.1 and TLS 1.2 are supported in Windows 7 and Windows Server 2008 R2 and above (including Windows 8 and Windows Server 2012), although the extra requirements stated below have to be satisfied in order to use these protocols:

  • Microsoft .NET Framework 4.5 or above
  • The version of TLS must be enabled in Internet Explorer Advanced settings
  • Apply APAR JR52781
 

As far as we are aware Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008 do not support TLS 1.1 and 1.2. If you wish implement increased security measures, it is important to ensure the underlying operation system supports these protocols, as there is a discrepancy between the Certified Client platforms supported by Information Server with regards to Windows Server 2008 Enterprise Edition.

The detailed system requirements for Information Server 11.3.1 can be found here: http://www-969.ibm.com/software/reports/compatibility/clarity-reports/report/html/softwareReqsForProduct?deliverableId=1405010119112&osPlatforms=AIX|Linux|Solaris|Windows&duComponentIds=D004&mandatoryCapIds=30|47|9|16|26&optionalCapIds=7|9|1|24|186|61#!

Microsoft .NET Framework version 4.5.2

Information Server requires the Microsoft .NET Framework 4 to be installed on the client machines, however, this needs to be updated to version 4.5, or above. The .NET Framework 4.5 is offered by Microsoft as an in-place upgrade to 4. We would recommend applying .NET Framework 4.5.2 as this is the latest officially released version.

The full (off-line) installer can be downloaded from the following link: http://www.microsoft.com/en-us/download/details.aspx?id=42642

Alternatively, if you have internet connectivity, the Web-based Installer can be launched from: http://www.microsoft.com/en-us/download/details.aspx?id=42643


How to: Determine Which .NET Framework Versions Are Installed

Determining .NET 4.5 is already installed is tricky, but according to this Microsoft article: https://msdn.microsoft.com/en-us/library/hh925568%28v=vs.110%29.aspx



In the Registry Editor, open the following subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full

If the Full subkey is not present, then you do not have a the .NET Framework 4.5 or later installed.
Otherwise, the Release value can be compared to values documented in the above article to determine the actual product release.

Enabling TLS support in Internet Explorer

IMPORTANT - This step must be followed even if your using an alternative web browser to Internet Explorer

Open the Internet Settings using the following command from a Windows prompt:



inetcpl.cpl

Switch to the Advanced Tab, scroll down the bottom of the Settings to the security section and enable "Use TLS 1.1" or "Use TLS 1.2" as required and save the changes. DataStage Clients will be blocked from communicating using these protocols unless these options are enabled.

Install APAR JR52781

Finally, apply APAR JR52781 to patch DataStage

This updates Ascential.DataStage.Attach.COM.AttachService.dll to support these protocol standards when communicating with the Services Tier.

Note: JR52781 is included in 11.5 and above - so no patch is required, but all proceeding steps above are still relevant.

Additional settings that may be needed on Information Server using Windows operating system

  1. Run regedit as administrator to open registry settings (e.g., Start > type regedit in search field)
  2. Open or create: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SecurityProviders\SCHANNEL\Protocols\TLS1.0
  3. Change the value for "DisableBYDefault" to 0
  4. Change the value for "Enabled" to 1
  5. Reboot server

[{"Product":{"code":"SSVSEF","label":"IBM InfoSphere DataStage"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF033","label":"Windows"}],"Version":"9.1.2.0;9.1.0.1;9.1;11.5;11.3.1.2;11.3.1.1;11.3.1.0;11.3;11.5.0.1","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
27 October 2023

UID

swg21699845

Page Feedback