Configuring the TLS V1.3 security protocol

The following procedures enable you to configure the TLS V1.3 security protocol for HCL Workload Automation.

The configuration of the TLS V1.3 security protocol can be manually done on every component:

The configuration of the TLS V1.3 security protocol can only be set using custom certificates with RSA keys of at least 2K.

Dynamic agents

To enable the TLS V1.3 security protocol for dynamic agents you must open the <TWSDATA>/ITA/cpa/ita/ita.ini file and go to the ITA SSL section. Here you can set the security modifying the following keywords:
Enabling the TLS V1.3 security protocol exclusively
fips_enable = no
tls12_cipher = NONE
tls13_cipher = DFLT
The tls12_cipher = NONE must be included to completely exclude the use of the TLS V1.2 security protocol.
Enabling the TLS V1.2 and TLS V1.3 security protocols
fips_enable = no
tls13_cipher = DFLT 
Note: The dynamic agents must be restarted after the modifications are completed.

Websphere Application Server Liberty Base

The following procedures must be repeated for every HCL Workload Automation component in the environment that has installed.

To enable the TLS V1.3 security protocol for you must copy the <TWA_INSTALL_FOLDER>/usr/servers/engineServer/configDropins/defaults/ssl_config.xml file and paste it in the following folders:
  • <TWA_INSTALL_FOLDER>/usr/servers/engineServer/configDropins/overrides
  • <DWC_INSTALL_FOLDER>/usr/servers/dwcServer/configDropins/overrides
You must then edit the ssl_config.xml file:
Enabling the TLS V1.3 security protocol exclusively
sslProtocol="TLSv1.3"
Enabling the TLS V1.2 and TLS V1.3 security protocols
sslProtocol="TLSv1.2,TLSv1.3" 
No spaces can be used before or after the comma.
Note: The must be restarted after the modifications are completed.

Native components and fault-tolerant agents

The following procedures must be repeated for every native component and fault-tolerant agents in the HCL Workload Automation environment.

To enable the TLS V1.3 security protocol for native components and fault-tolerant agents you must open the <TWSDATA>/localopts file. Choose the procedure that applies to the kind of certificates you are using:
Opens SSL
Set the keyword: SSL Fips enabled = no
Enabling the TLS V1.3 security protocol exclusively
Comment the following keywords:
  • #SSL Encryption Cipher =TLSv1.2
  • #CLI SSL cipher = HIGH
Set the following keywords:
  • ssl tls13 cipher = HIGH
  • cli ssl tls13 cipher = HIGH

TLS V1.3 security protocol support is not available if SSL Fips enabled = yes.

Note: The native components and fault-tolerant agents must be restarted after the modifications are completed.