Configure TLSv1.2 settings on the Sametime®
System Console.
About this task
Improve the security of your Sametime deployment by
enabling servers to communicate with TLSv1.2.
- To enable TLSv1.2, it is recommended to wait until all Websphere-based servers are deployed and
federated. Deployment of additional servers after configuring the SSC to use TLSv1.2 may require
manual steps post the initial installation.
For more information, see the IBM tech note, If
the Sametime 9.0.1 FP1 System Console is enabled for TLSv1.2, then use TLSv1.2 mode for a fresh
install of any WebSphere-based Sametime server.
- Platforms without GUI (like IBM i) for the Installation Manager (silent installation) do not
provide the option to select TLSv1.2 connections to the Sametime System Console. To configure
TLSv1.2 for such platforms, perform the below steps:
- Allow the "federation" of the server to fail during the installation and then run "addNode"
manually which prompts to trust the certificate used. TLSv1.2 then allows the connection. Register
the server manually with the Sametime System Console after the federation is successful.
- Disable TLSv1.2 from the Sametime System Console before installing Websphere- based Sametime
servers and re-enable later.
- Enable TLSv1.2 on the Sametime System Console after all Websphere- based Sametime servers are
installed and federated with the Deployment Manager (DMGR).
Procedure
-
On the Sametime System Console, enable TLSv1.2 for the specified SSL configurations as follows:
-
Log in to the WebSphere® Integrated Solutions
Console as the WebSphere administrator.
-
In the navigation list, click .
-
In the "Related Items" section, click SSL Configurations.
-
Click the link that represents the SSL configuration that you will update to use TLSv1.2.
-
On the configuration page, look in the "Additional Properties" section and click
Quality of Protection (QoP) Settings.
-
In the Protocol field, select TLSv1.2.
-
Click Apply and then click Save to update the
master configuration.
-
Modify the ssl.client.props file for the System Console deployment manager
to specify TLSv1.2.
-
On the server, locate the ssl.client.props file.
This file is stored in the following location:
/IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/properties
-
Edit the file and change the
com.ibm.ssl.protocol
setting to
TLSv1.2
.
com.ibm.ssl.protocol=TLSv1.2
-
Save and close the file.
-
Stop the deployment manager by running the stopManager.sh (AIX®, Linux™) or stopManager.bat (Windows™) script.
For example, on Linux:
sh /opt/IBM/WebSphere/AppServer/profiles/ STSCDMgrProfile/bin/stopManager.sh –username wasadmin –password password
-
Start the deployment manager by running the startManager.sh (AIX, Linux) or startManager.bat (Windows) script.
For example, on Linux:
sh /opt/IBM/WebSphere/AppServer/profiles/ STSCDMgrProfile/bin/startManager.sh
-
Stop the STConsoleServer application server by running the stopServer.sh (AIX, Linux) or stopServer.bat (Windows) script.
For example, on Linux:
sh /opt/IBM/WebSphere/AppServer/profiles/STSCAppProfile/bin/stopServer.sh STConsoleServer –username wasadmin –password password
-
Stop the STConsoleServer node agent by running the stopNode.sh (AIX, Linux) or stopNode.bat (Windows) script.
For example, on Linux:
sh /opt/IBM/WebSphere/AppServer/profiles/STSCAppProfile/bin/stopNode.sh –username wasadmin –password password
-
Modify the ssl.client.props file for the System Console application server
to specify TLSv1.2.
-
On the server, locate the ssl.client.props file.
This file is stored in the following location:
/IBM/WebSphere/AppServer/profiles/profile_name/properties
-
Edit the file and change the
com.ibm.ssl.protocol
setting to
TLSv1.2
.
com.ibm.ssl.protocol=TLSv1.2
-
Save and close the file.
-
Sync the STConsoleServer node with the deployment manager by running the
syncNode.sh (AIX, Linux) or syncNode.bat (Windows) script.
For example, on Linux:
sh /opt/IBM/WebSphere/AppServer/profiles/STSCAppProfile/bin/syncNode.sh SSC_Host_Name 8703 –username wasadmin –password password
-
Start the STConsoleServer node agent by running the startNode.sh (AIX, Linux) or startNode.bat (Windows) script.
For example, on Linux:
sh /opt/IBM/WebSphere/AppServer/profiles/STSCAppProfile/bin/startNode.sh
-
Start the STConsoleServer application server by running the startServer.sh (AIX, Linux) or startServer.bat (Windows) script.
For example, on Linux:
sh /opt/IBM/WebSphere/AppServer/profiles/STSCAppProfile/bin/startServer.sh STConsoleServer
-
Log in to the WebSphere Integrated Solutions
Console as the WebSphere administrator.
-
Click
-
On the Application servers page, verify that the Sametime System Console (STConsoleServer) is reachable and is in a started state.