Configuring the TLS V1.3 security protocol
The following procedures enable you to configure the TLS V1.3 security protocol for HCL Workload Automation.
The configuration of the TLS V1.3 security protocol can be manually done on every component:
The configuration of the TLS V1.3 security protocol can only be set using custom certificates with RSA keys of at least 2K.
Dynamic agents
To enable the TLS V1.3 security protocol for dynamic agents you must open the
<TWSDATA>/ITA/cpa/ita/ita.ini file and go to the
ITA SSL section. Here you can set the security modifying the
following keywords:
- Enabling the TLS V1.3 security protocol exclusively
Thefips_enable = no tls12_cipher = NONE tls13_cipher = DFLT
tls12_cipher = NONE
must be included to completely exclude the use of the TLS V1.2 security protocol.
- Enabling the TLS V1.2 and TLS V1.3 security protocols
-
fips_enable = no tls13_cipher = DFLT
Note: The dynamic agents must be restarted after the modifications are completed.
Websphere Application Server Liberty Base
The following procedures must be repeated for every HCL Workload Automation component in the environment that has installed.
To enable the TLS V1.3 security protocol for you must
copy the
<TWA_INSTALL_FOLDER>/usr/servers/engineServer/configDropins/defaults/ssl_config.xml
file and paste it in the following folders:
- <TWA_INSTALL_FOLDER>/usr/servers/engineServer/configDropins/overrides
- <DWC_INSTALL_FOLDER>/usr/servers/dwcServer/configDropins/overrides
- Enabling the TLS V1.3 security protocol exclusively
-
sslProtocol="TLSv1.3"
- Enabling the TLS V1.2 and TLS V1.3 security protocols
No spaces can be used before or after the comma.sslProtocol="TLSv1.2,TLSv1.3"
Note: The must be
restarted after the modifications are completed.
Native components and fault-tolerant agents
The following procedures must be repeated for every native component and fault-tolerant agents in the HCL Workload Automation environment.
To enable the TLS V1.3 security protocol for native components and fault-tolerant agents you must open the
<TWSDATA>/localopts file. Choose the procedure that
applies to the kind of certificates you are using:
- Opens SSL
- Set the keyword:
SSL Fips enabled = no
- Enabling the TLS V1.3 security protocol exclusively
- Comment the following keywords:
#SSL Encryption Cipher =TLSv1.2
#CLI SSL cipher = HIGH
TLS V1.3 security protocol support is not available if
SSL Fips enabled = yes
.
Note: The native components and fault-tolerant agents must be
restarted after the modifications are completed.