WebSphere Application Server & Liberty

 View Only

IBM Java 8.0.6.30 disables TLSv1 and TLSv11 by default. How does it affect WebSphere?

By Hiroko Takamiya posted Fri June 25, 2021 01:00 AM

  

The SSL Protocols TLS V1.0 and V1.1 are disabled by default in Java 8.0.6.30. How does it affect WebSphere?

Summary

  • Java 8.0.6.30 introduced a default behavior change in the SSL protocols. This blog post provides an overview on how it affects WebSphere Liberty, OpenLiberty and Traditional WebSphere.
  • The SSL protocols TLS v1.0 and TLS V1.1 are disabled by default in IBM SDK, Java Technology Edition Java SR6 FP30 (8.0.6.30) as some of the security standards strongly encourage TLS V1.2 and above.  
  • Once Java is upgraded to 8.0.6.30, WebSphere Liberty and OpenLiberty will pick up the new behavior by default. If the SSL peers depend on TLS V1.0 and V1.1, the Java behavior change will cause the SSL communication outage. A technote has been published with the steps to re-enable the protocols.
  • The Java upgrade should not affect Traditional WebSphere as it currently re-enables TLS V1.0 and V1.1 at the server startup by default. However to make the administrators aware of the higher security standards, WebSphere 8.5.5.20 and 9.0.5.9 introduced new warning messages (CWPKI0317W, CWPKI0318W) that print the list of SSL configuration using TLS V1.0 or TLS V1.1 and the link to the technote with the SSL protocol migration steps.
  • The default behavior change in Java 8.0.6.30 provides a great opportunity for the server administrators to evaluate the current SSL protocol usages and plan the migration as needed.  

My Liberty server still needs TLS V1.0 and TLS V1.1. How do I enable them?


The following technote :  Enabling SSL protocol TLSv1 and TLSv1.1 in Liberty Application Server with IBM Java 8 SR6 FP30 (8.0.6.30) or later. provides step-by-step instructions to enable TLS V1.0 and TLS V1.1.  The short summary of the steps are as follows

  • Update "jdk.tls.disabledAlgorithms" property in the java.security file (JAVA_HOME/lib/security/java.security) to enable TLSv1 and TLSv1.1 protocols.
  • Optionally, the administrator can follow the steps below to keep the configuration from being overwritten by the future Java updates.  
    • Create a Liberty specific “java.security” in Liberty’s configuration directory. 
    • Configure “jvm.options” to that tells JVM to append the Liberty's "java.security" to the default “java.security” in the Java directory. 

How does it affect Traditional WebSphere?


Traditional WebSphere sets following JVM properties at the server startup by default. As seen below, it keeps the TLS V1.0 and V1.1 protocol enabled.  

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, MD5withRSA
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, MD5 

The above default values apply to WebSphere v9.0 and later and WebSphere 8.5.5.10 and later. The default values are likely to change in the future to enforce higher level of security. 

If these setting need to be customized, please refer to "com.ibm.websphere.tls.disabledAlgorithms" and "com.ibm.websphere.certpath.disabledAlgorithms" in the "Security custom properties" article for WebSphere V8.5.5 and the one for WebSphere V9.0. 


WebSphere 8.5.5.20 and 9.0.5.9 introduces new warning messages that print the list of SSL configuration using TLS V1.0 or TLS V1.1. 
CWPKI0317W provides the list of SSL configurations that are use TLSv1 or TLSv1.1. 
CWPKI0318W provides the list of SSL configurations that use SSL_TLSv2 since the spanning protocol includes TLSv1 and TLSv1.1. 
Both messages point to the following technote for administrators to review the migration process. How can I configure WebSphere Application Server SSL protocol to use TLSv1.2 ONLY?   

Where do I download the IBM SDK Java?


IBM SDK Java for WebSphere can be downloaded from the following page:
IBM SDK Java Technology Edition Version 8.0 for WebSphere Application Server V9 and WebSphere Liberty using Installation Manager

More information on the each Java fixpack can be found here:  IBM SDK, Java Technology Edition 8 Service Refresh 

Ready to migrate to Java 8.0.6.30? 


Let us know your comments and questions. As always, thanks for using WebSphere! 

More on SSL topics...


The readers of this blog may be interested in the recent SSL articles below:  
WebSphere Application Server 9.0.5.6 and earlier, 8.5.5.19 and earlier not accessible when FIPS is enabled on Java 8.0.6.25
A must read for the FIPS users on the Traditional WebSphere before upgrading Java version.  

TLSv1.3 in WebSphere Application Server
The IBM Community blog for the advanced users on the latest TLSv1.3 protocol topics.  


Acknowledgement:

Thanks to Keith Jabcuga, Ramakrishna Arika and Jackson Leonard for the featured technotes and the blog article. Thanks to Alaine Demyers for the review.

Permalink