Enabling TLSv1.2 for the Sametime System Console

Configure TLSv1.2 settings on the Sametime® System Console.

About this task

Improve the security of your Sametime deployment by enabling servers to communicate with TLSv1.2.

Procedure

  1. On the Sametime System Console, enable TLSv1.2 for the specified SSL configurations as follows:
    • The NodeDefaultSSLSettings SSL configuration

      If there are multiple SSL configurations with this name, use the one for the Management Scope of the System Console; for example: (cell):SSCHostnameSSCCell:(node):SSCHostnameSSCNode.

    • The CellDefaultSSLSettings SSL configuration
    • The XDADefaultSSLSettings SSL configuration
    1. Log in to the WebSphere® Integrated Solutions Console as the WebSphere administrator.
    2. In the navigation list, click Security > SSL certificate and key management.
    3. In the "Related Items" section, click SSL Configurations.
    4. Click the link that represents the SSL configuration that you will update to use TLSv1.2.
    5. On the configuration page, look in the "Additional Properties" section and click Quality of Protection (QoP) Settings.
    6. In the Protocol field, select TLSv1.2.
    7. Click Apply and then click Save to update the master configuration.
  2. Modify the ssl.client.props file for the System Console deployment manager to specify TLSv1.2.
    1. On the server, locate the ssl.client.props file.

      This file is stored in the following location: /IBM/WebSphere/AppServer/profiles/STSCDMgrProfile/properties

    2. Edit the file and change the com.ibm.ssl.protocol setting to TLSv1.2. 
      com.ibm.ssl.protocol=TLSv1.2
    3. Save and close the file.
  3. Stop the deployment manager by running the stopManager.sh (AIX®, Linux™) or stopManager.bat (Windows™) script.
    For example, on Linux:
    sh /opt/IBM/WebSphere/AppServer/profiles/ STSCDMgrProfile/bin/stopManager.sh –username wasadmin –password password
  4. Start the deployment manager by running the startManager.sh (AIX, Linux) or startManager.bat (Windows) script.
    For example, on Linux:
    sh /opt/IBM/WebSphere/AppServer/profiles/ STSCDMgrProfile/bin/startManager.sh
  5. Stop the STConsoleServer application server by running the stopServer.sh (AIX, Linux) or stopServer.bat (Windows) script.
    For example, on Linux:
    sh /opt/IBM/WebSphere/AppServer/profiles/STSCAppProfile/bin/stopServer.sh STConsoleServer –username wasadmin –password password
  6. Stop the STConsoleServer node agent by running the stopNode.sh (AIX, Linux) or stopNode.bat (Windows) script.
    For example, on Linux:
    sh /opt/IBM/WebSphere/AppServer/profiles/STSCAppProfile/bin/stopNode.sh –username wasadmin –password password
  7. Modify the ssl.client.props file for the System Console application server to specify TLSv1.2.
    1. On the server, locate the ssl.client.props file.

      This file is stored in the following location: /IBM/WebSphere/AppServer/profiles/profile_name/properties

    2. Edit the file and change the com.ibm.ssl.protocol setting to TLSv1.2. 
      com.ibm.ssl.protocol=TLSv1.2
    3. Save and close the file.
  8. Sync the STConsoleServer node with the deployment manager by running the syncNode.sh (AIX, Linux) or syncNode.bat (Windows) script.
    For example, on Linux:
    sh /opt/IBM/WebSphere/AppServer/profiles/STSCAppProfile/bin/syncNode.sh SSC_Host_Name 8703 –username wasadmin –password password
  9. Start the STConsoleServer node agent by running the startNode.sh (AIX, Linux) or startNode.bat (Windows) script.
    For example, on Linux:
    sh /opt/IBM/WebSphere/AppServer/profiles/STSCAppProfile/bin/startNode.sh
  10. Start the STConsoleServer application server by running the startServer.sh (AIX, Linux) or startServer.bat (Windows) script.
    For example, on Linux:
    sh /opt/IBM/WebSphere/AppServer/profiles/STSCAppProfile/bin/startServer.sh STConsoleServer
  11. Log in to the WebSphere Integrated Solutions Console as the WebSphere administrator.
  12. Click Servers > Server Types > WebSphere application servers
  13. On the Application servers page, verify that the Sametime System Console (STConsoleServer) is reachable and is in a started state.

What to do next

Attention: Now that TLSv1.2 is enabled on the Sametime System Console, all new WebSphere-based Sametime servers must be installed with a deployment plan that specifies TLSv1.2 (not HTTP). For more information, see the IBM tech note If the Sametime 9.0.1 FP1 System Console is enabled for TLSv1.2, then use TLSv1.2 mode for a fresh install of any WebSphere-based Sametime server.