Forcing traffic to use TLS 1.2

You can configure IBM® Connections to force all traffic that passes between an IBM Connections server and a user's web browser to be sent over TLS 1.2 to avoid security vulnerabilities in TLS 1.1 and other vulnerabilities in earlier versions of SSL.

About this task

When you force traffic to use TLS 1.2, it forces traffic from browsers, applications, and communication between Connections JVMs and the WebSphere Application Server.

Procedure

  1. In the IBM HTTP Server, disable SSL protocols and old TLS protocols leaving only TLS 1.2 enabled. Open the httpd.conf file in the ibm_http_server_root/conf directory. Add the following code inside the <VirtualHost *:443> ... </VirtualHost> element: 
    SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
  2. Stop and start the HTTP Server.
  3. Modify the WebSphere SSL client properties file to force the use of TLS 1.2. On every WebSphere node, open ssl.client.prop in opt/IBM/WebSphere/AppServer/profiles/propfilename/Dmgr/properties. Set com.ibm.ssl.protocol to the following value in all the nodes on environment: 
    com.ibm.ssl.protocol=TLSv1.2
  4. On the deployment manager, update LotusConnections-config.xml by adding the following property to the Connections configuration file in the last section in the properties element. 
    <genericProperty name="com.ibm.connections.SSLProtocol">TLSv1.2</genericProperty>
  5. In the WebSphere Application Server, update the SSL configurations to only allow TLS 1.2 for secure protocol.
    1. Stop all WebSphere Application Server processes except for the Deployment Manager.
    2. In the WebSphere Administration browser application, log in as the administrator and click Security > SSL certificate and key management > SSL Configurations.
    3. For each of the configurations listed, select the configuration, such as CellDefaultSSLSettings, and then Quality of protection (QoP) settings.
    4. Set the Protocol selector to TLSv1.2 to only allow TLS 1.2. Repeat this step for every configuration.
    5. Save your changes.
    6. On each managed node, synchronize the deployment manager changes by running profile_root/bin/syncNode.sh. Ensure this completes successfully on every node. If synchronization fails, you may need to manually replace the security.xml file in profile_root/config/cells/cell/ with the version from the deployment manager.