You can configure IBM® Connections to force all traffic that passes between an IBM
Connections server and a user's web browser to be sent over TLS 1.2 to avoid security
vulnerabilities in TLS 1.1 and other vulnerabilities in earlier versions of SSL.
About this task
When you force traffic to use TLS 1.2, it forces traffic from browsers, applications, and
communication between Connections JVMs and the WebSphere Application Server.
Procedure
-
In the IBM HTTP Server, disable SSL protocols and old TLS protocols leaving only TLS 1.2
enabled. Open the httpd.conf file in the ibm_http_server_root/conf directory. Add the
following code inside the
<VirtualHost *:443> ... </VirtualHost>
element:
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
-
Stop and start the HTTP Server.
-
Modify the WebSphere SSL client properties file to force the use of TLS 1.2. On every WebSphere
node, open ssl.client.prop in
opt/IBM/WebSphere/AppServer/profiles/propfilename/Dmgr/properties.
Set
com.ibm.ssl.protocol
to the following value in all the nodes on
environment:
com.ibm.ssl.protocol=TLSv1.2
-
On the deployment manager, update LotusConnections-config.xml by adding
the following property to the Connections configuration file in the last section in the
properties
element.
<genericProperty name="com.ibm.connections.SSLProtocol">TLSv1.2</genericProperty>
-
In the WebSphere Application Server, update the SSL configurations to only allow TLS 1.2 for
secure protocol.
-
Stop all WebSphere Application Server processes except for the Deployment Manager.
-
In the WebSphere Administration browser application, log in as the administrator and click .
-
For each of the configurations listed, select the configuration, such as
CellDefaultSSLSettings, and then Quality of protection (QoP)
settings.
-
Set the Protocol selector to TLSv1.2 to only allow TLS 1.2. Repeat this
step for every configuration.
-
Save your changes.
-
On each managed node, synchronize the deployment manager changes by running profile_root/bin/syncNode.sh. Ensure this completes
successfully on every node. If synchronization fails, you may need to manually replace the
security.xml file in profile_root/config/cells/cell/ with the
version from the deployment manager.