IBM InfoSphere Streams Version 4.1.1

Changing the cryptographic protocol for InfoSphere Streams services

Many domain and instance services support connections that use Transport Layer Security (TLS) cryptographic protocols. You can specify which cryptographic protocols the services use for secure communication by setting domain and instance properties. The default setting for InfoSphere® Streams is TLSv1, which indicates that TLS 1.0 or later protocols are used.

About this task

You can specify the cryptographic protocol for the following domain and instance services.

Notes:

The domain.sslOption domain property is used as the default value for the sslOption properties that are listed.
If you set the sws.sslProtocol property to TLSv1.2, you must also specify one of the following settings:
- Set the domain.sslOption property to TLSv1.2.
- Set both the aas.sslOption and jmx.sslOption properties to TLSv1.2.

Table 1. Domain services
Service name	Domain property name
authentication and authorization service	aas.sslOption
domain controller service	controller.sslOption
management API service	jmx.sslOption
web management service	sws.sslProtocol

Table 2. Instance services
Service name	Instance property name
application deployment service	app.sslOption
application manager service	sam.sslOption
application metrics service	srm.sslOption
view service	view.sslOption

The domain and instance properties can have the following values:

TLSv1: This value is the default value. It indicates that the service uses TLS 1.0 or later protocols.
TLSv1.1: This value indicates that the service uses TLS 1.1 or later protocols. If a TLS 1.1 connection cannot be established, it falls back to TLS 1.0.
TLSv1.2: This value indicates that the service uses only TLS 1.2 or later protocols. If a TLS 1.2 connection cannot be established, it does not fall back to lower versions of TLS support.
SSL_TLS: This value indicates that the service uses TLS 1.0.
SSL_TLSv2: This value indicates that the service uses TLS 1.0, TLS 1.1, or TLS 1.2.
none: This value indicates that the service does not use TLS or SSL. You cannot specify this value for the sws.sslProtocol domain property.

The sws.sslProtocol domain property has an extra value: useJavaSetting. This property indicates that the web management service supports the cryptographic protocols that are specified by the Java™ configuration of processes that connect to the service. This value is the default value.

For more information about these properties, run streamtool man domainproperties and streamtool man properties.

Tip: Before you change the cryptographic protocol, consider which InfoSphere Streams interfaces you use and how they are affected. For example, you must open the Streams Console in a web browser that supports the same cryptographic protocols that you specify for the web management service. Also, setting an sslOption property to something other than TLSv1 might prevent communication with InfoSphere Streams releases earlier than 4.1.

Procedure

You can specify the cryptographic protocol when you create or update a domain or instance. In Streams Studio, you can specify the cryptographic protocol when you add or edit a domain connection.

Specify the cryptographic protocol when you create the domain or instance.
- Use the Domain Manager or the streamtool mkdomain command to create a domain and specify the appropriate domain property.
  For example, specify the following command option: --property sws.sslProtocol=SSL_TLS.
- Use the Streams Console or the streamtool mkinstance command to create an instance and specify the appropriate instance property.
  For example, specify the following command option: --property app.sslOption=TLSv1
Specify the cryptographic protocol after you create the domain or instance.
- To update a domain property, use the Domain Manager or the streamtool setdomainproperty command, then restart the domain.
- To update an instance property, use the Streams Console or the streamtool setproperty command, then restart the instance.
In Streams Studio, specify the cryptographic protocol when you add or edit a domain connection. The protocol that you specify must match the value on the jmx.sslProtocol domain property. To obtain that value, run the streamtool getdomainproperty jmx.sslOption command.
- When you add a domain connection, use the TLS Protocol list to select the cryptography protocol that matches the domain configuration.
- If you have a domain connection defined for the domain, use the Edit Domain Connection window to update the cryptography protocol. For the change to take effect, disconnect and then reconnect to the domain.