How To Enable TLS 1.2 In WebSphere Application Server(WAS) 8.5.5.5

In this tutorial, we will learn how to enable TLS 1.2 in WebSphere Application Server (WAS) installed on Windows OS (2008 R2 Standard). As you can see from the screenshot below, WebSphere Application Server (WAS) version 8.5.5.5 has SSL_TLS enabled.

Note: - Always remember to take a backup before making these changes to avoid any issues.

Steps to Enable TLS 1.2 in WebSphere Application Server

Below are the steps to enable/configure TLS1.2.

1. Open the browser type URL of the IBM Integrated Solutions Console, also known as the IBM console or WAS console. Enter your username and password to log in.
2. Click the "Security" link on the left and go to SSL certificate and key management. Now, click on "SSL Configuration" under Related Items.
3. Click to open the default SSL settings. Click on Quality of protection (QoP) Settings, which is under Additional Properties.
4. Make sure that the selected protocol is TLSv1.2. Select Strong from the Cipher suite groups. Now click on Update Selected Ciphers.
5. Click OK. Save these settings to master configuration directly.
6. Click again on SSL certificate and key management. Click on Manage FIPS.
7. From the Manage FIPS window, click on Enable SP800-131, select Strict from there.
8. Click on OK. You have to complete some additional steps if you see below mentioned non-compliant certificate error.
   
   1. Look and click "Convert Certificates" under the "Related Items" link.
   2. Make sure that the Algorithm setting should be Strict.
   3. Select 2048 bits for New certificate key size.
   4. Click on OK. Save the settings to master configuration directly.
9. Now go to profile properties (i.e., WAS_Profile_Dir/properties path varies according to your environment). Open ssl.client.props and get ready to modify the file.
10. Search for property com.ibm.security.useFIPS and modify it to value true.
11. Search for property com.ibm.websphere.security.FIPSLevel, write it if not available, and then set its value to SP800-131.
12. Search for the property com.ibm.ssl.protocol. Modify it to TLSv1.2.
13. Now click on Server. Click Server Types after that WebSphere Application Servers. Click on server1.
14. Click Java and Process Management under the Server Infrastructure link. Then click Process definition.
15. Click on Java Virtual Machine under the Additional Properties link. Click on Custom properties.
16. Add below mentioned as custom properties:
    1. com.ibm.team.repository.transport.client.protocol = TLSv1.2.
    2. com.ibm.jsse2.sp800-131  = strict.
    3. com.ibm.rational.rpe.tls12only = true.
17. Save your changes and Restart the websphere application server so that changes will take effect.

Here is the final screenshot after successful changes.

In the next post, I will talk about how to clean cache in websphere application server. Please write in the comment section if you have any question or queries related to enabling TLS1.2 in websphere.