Forcing traffic to use TLS 1.2
You can configure HCL Connections™ to force all traffic that passes between a Connections server and a user's web browser to be sent over TLS 1.2 to avoid security vulnerabilities in TLS 1.1 and earlier versions of SSL.
About this task
When you enforce the use of TLS 1.2, it affects all traffic from browsers and applications, as well as communication between Connections JVMs and the IBM WebSphere Application Server.
Procedure
-
In the HTTP Server, disable SSL protocols and old TLS protocols, leaving only TLS 1.2 enabled.
Open the httpd.conf file in the ibm_http_server_root/conf directory. Add the following code inside the
<VirtualHost *:443> ... </VirtualHost>
element:SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
- Stop and start the HTTP Server.
-
Modify the WebSphere SSL client properties file to force the use of TLS 1.2 :
-
On the deployment manager, update LotusConnections-config.xml by adding
the following property to the Connections configuration file in the last section in the
properties
element.<genericProperty name="com.ibm.connections.SSLProtocol">TLSv1.2</genericProperty>
-
In the WebSphere Application Server, update the SSL configurations to only allow TLS 1.2 for
secure protocol.
- Stop all WebSphere Application Server processes except for the Deployment Manager.
- In the WebSphere Integrated Solutions Console, log in as the administrator and click .
- For each of the configurations listed, select the configuration, such as CellDefaultSSLSettings, and then Quality of protection (QoP) settings.
- Set the Protocol selector to TLSv1.2 to only allow TLS 1.2. Repeat this step for every configuration.
- Save your changes and leave the Integrated Solutions Console open for the next step.
-
Enable the JVM to override the default TLS setting, to ensure that only TLS v1.2 is used:
Complete this step on every WebSphere Application Server in the deployment.
-
On each managed node, synchronize the deployment manager changes by running profile_root/bin/syncNode.sh.
Ensure that the synchronization completes successfully on every node. If synchronization fails, you might need to manually replace the security.xml file in profile_root/config/cells/cell/ with the version from the deployment manager, and then synchronize the nodes again.