Forcing traffic to use TLS 1.3
You can configure HCL Connections™ to force all traffic that passes between a Connections server and a user's web browser to be sent over TLS 1.3 to avoid security vulnerabilities in TLS 1.2 and earlier versions of SSL.
About this task
When you enforce the use of TLS 1.3, it affects all traffic from browsers and applications, as well as the communication between the Connections JVMs and the IBM WebSphere Application Server.
Procedure
-
In the HTTP Server, disable SSL protocols and old TLS protocols, leaving only TLS 1.3 enabled.
- Open the
httpd.conf
file in theibm_http_server_root/conf directory
. -
Add the following code inside the
<VirtualHost *:443> ... </VirtualHost>
element:SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11 TLSv12
- Open the
-
Stop and start the HTTP Server.
-
Modify the WebSphere SSL client properties file to force the use of TLS 1.3 :
-
On the deployment manager, open
opt/IBM/WebSphere/AppServer/profiles/Dmgr01/properties/ssl.client.prop.
and setcom.ibm.ssl.protocol
to the following value:com.ibm.ssl.protocol=TLSv1.3
-
On every WebSphere node, open
opt/IBM/WebSphere/AppServer/profiles/Dmgr01/properties/ssl.client.prop.
and setcom.ibm.ssl.protocol
to the following value:com.ibm.ssl.protocol=TLSv1.3
-
-
On the deployment manager, update the
LotusConnections-config.xml
file by adding or updating the following property to the Connections configuration file in the last section in the properties element.<genericProperty name="com.ibm.connections.SSLProtocol">TLSv1.3</genericProperty>
-
In the WebSphere Application Server, update the SSL configurations to only allow TLS 1.3 for secure protocol.
-
Stop all WebSphere Application Server processes except for the Deployment Manager.
-
In the WebSphere Integrated Solutions Console, log in as the administrator and click on Security > SSL certificate and key management > SSL Configurations.
-
For each of the configurations listed, select the configuration, such as CellDefaultSSLSettings, and then Quality of protection (QoP) settings
-
Set the Protocol selector to TLSv1.3 to only allow TLS 1.3. Repeat this step for every configuration.
-
Save your changes and leave the Integrated Solutions Console open for the next step.
-
-
In the WebSphere Integrated Solutions console, add the following property to the web server.
- Go to Plug-in Properties under Additional Properties
- In Custom Property add the custom property:
PLG.Config.USETLS13
with a value of true-
Generate and propagate the plug-in
-
Restart the web server
-
Enable the JVM to override the default TLS setting, to ensure that only TLS v1.3 is used:
Note
Complete this step on every WebSphere Application Server in the deployment.
-
In the Integrated Solutions Console, click on Server Types > WebSphere Application Server.
-
Expand the Java and Process Management and then click on Process Definition > Java Virtual Machine.
-
In the Generic JVM arguments field, add the following definition if it's not already defined:
-Dcom.ibm.jsse2.overrideDefaultTLS=true
-
Click OK.
-
Save your changes to the master configuration by clicking Save in the Messages box.
-
Restart WebSphere Application Server to ensure your changes take effect.
-
-
On each managed node, synchronize the deployment manager changes by running
profile_root/bin/syncNode.sh
.Ensure that the synchronization completes successfully on every node. If synchronization fails, you might need to manually replace the
security.xml
file inprofile_root/config/cells/cell/
with the version from the deployment manager, and then synchronize the nodes again.
Parent topic: Configuring HCL Connection to Use TLS 1.3