IBM Support

Enable TLS V1.1 on IBM Cloud Orchestrator

Preventive Service Planning


Abstract

This technical note includes configuration steps to enable TLS v1.1 on IBM® Cloud Orchestrator V2.4.0.3 and V2.4.0.4.

Content

Steps to enable TLS V1.1 support on IBM Cloud Orchestrator V2.4.0.4 and V2.4.0.3:


1. Contact IBM Support for the following LA fixes:

    • For IBM Cloud Orchestrator V2.4.0.4, apply IBM Cloud Orchestrator V2.4.0.4 LA01
    • For IBM Cloud Orchestrator V2.4.0.3, apply IBM Cloud Orchestrator V2.4.0.3 LA09
2. Configuration procedure to enable TLS V1.1 on IBM Cloud Orchestrator 2.4.0.4 and 2.4.0.3:

    a. Perform the following steps to update the jetty.xml file:

      i) Run cp /opt/ibm/ccs/scui/etc/jetty.xml /opt/ibm/ccs/scui/etc/jetty.xml.bak command.

      ii) Run vim /opt/ibm/ccs/scui/etc/jetty.xml command.

      iii) Add the line <Set name='Protocol'>TLSv1.1</Set> within the following element:

        <New class='org.eclipse.jetty.http.ssl.SslContextFactory' id='sslContextFactory'>
        </New>
    b. Perform the following steps to update the httpd.conf file:

      i) Run cp /opt/IBM/HTTPServer/conf/httpd.conf /opt/IBM/HTTPServer/conf/httpd.conf.bak command.

      ii) Run vim /opt/IBM/HTTPServer/conf/httpd.conf command.

      iii) Replace the SSLProtocolDisable SSLv3 SSLv2line with the following lines:
        +SSLFIPSEnable
        +SSLProtocolEnable TLSv11
        +SSLProtocolDisable SSLv2 SSLv3 TLSv1
    c. Back up the /opt/ibm/ccs/scui/lib/com.ibm.orchestrator.ui.framework.jar file.

      i) Replace the com.ibm.orchestrator.ui.framework.jar file with the jar file that you can get from IBM Customer Support.

      ii) Restart the ihs and scui services by running the following commands:
        service ihs restart
        service scui restart
3. Configuration procedure to set the SSL_TLSv2 protocol on WebSphere Application Server:

    a. Log in to the WebSphere Application Server Integrated Solutions Console.

    b. Click Security > SSL certificate and key management.

    c. In the Related Items section, click SSL configurations. For example, CellDefaultSSLSettings, NodeDefaultSSLSettings, and XDADefaultSSLSettings

    d. Select the SSL Configuration that is described in the previous step, and click Additional Properties > Quality of protection (QoP) settings.

    e. In the Quality of protection (QoP) settings panel, select SSL_TLSv2 from the Protocol drop-down list.

    f. Click Apply and Save.

    g. Perform the following steps to update the com.ibm.ssl.protocol property in the ssl.client.props file:

      i) Edit the ssl.client.props file and set the com.ibm.ssl.protocol value to SSL_TLSv2.

      ii) Update both the <WAS_directory>/Node1Profile/properties/ssl.client.props and <WAS_directory>/DmgrProfile/properties/ssl.client.props files.
    h. Restart all the services by using the SCOrchestrator.py script in the Central Server 1.

Note : Business Process Designer does not work after you complete the configuration steps, so change the ssl.client.props file on the local machine within the process designer path to SSL_TLSv2.

[{"Product":{"code":"SS4KMC","label":"IBM SmartCloud Orchestrator"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"2.4.0.3;2.4.0.4","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg2C1000199

Page Feedback