The SSL Protocols TLS V1.0 and V1.1 are disabled by default in Java 220.127.116.11. How does it affect WebSphere?
- Java 18.104.22.168 introduced a default behavior change in the SSL protocols. This blog post provides an overview on how it affects WebSphere Liberty, OpenLiberty and Traditional WebSphere.
- The SSL protocols TLS v1.0 and TLS V1.1 are disabled by default in IBM SDK, Java Technology Edition Java SR6 FP30 (22.214.171.124) as some of the security standards strongly encourage TLS V1.2 and above.
- Once Java is upgraded to 126.96.36.199, WebSphere Liberty and OpenLiberty will pick up the new behavior by default. If the SSL peers depend on TLS V1.0 and V1.1, the Java behavior change will cause the SSL communication outage. A technote has been published with the steps to re-enable the protocols.
- The Java upgrade should not affect Traditional WebSphere as it currently re-enables TLS V1.0 and V1.1 at the server startup by default. However to make the administrators aware of the higher security standards, WebSphere 188.8.131.52 and 184.108.40.206 introduced new warning messages (CWPKI0317W, CWPKI0318W) that print the list of SSL configuration using TLS V1.0 or TLS V1.1 and the link to the technote with the SSL protocol migration steps.
- The default behavior change in Java 220.127.116.11 provides a great opportunity for the server administrators to evaluate the current SSL protocol usages and plan the migration as needed.
My Liberty server still needs TLS V1.0 and TLS V1.1. How do I enable them?
The following technote : Enabling SSL protocol TLSv1 and TLSv1.1 in Liberty Application Server with IBM Java 8 SR6 FP30 (18.104.22.168) or later. provides step-by-step instructions to enable TLS V1.0 and TLS V1.1. The short summary of the steps are as follows
- Update "jdk.tls.disabledAlgorithms" property in the java.security file (JAVA_HOME/lib/security/java.security) to enable TLSv1 and TLSv1.1 protocols.
- Optionally, the administrator can follow the steps below to keep the configuration from being overwritten by the future Java updates.
- Create a Liberty specific “java.security” in Liberty’s configuration directory.
- Configure “jvm.options” to that tells JVM to append the Liberty's "java.security" to the default “java.security” in the Java directory.
How does it affect Traditional WebSphere?
Traditional WebSphere sets following JVM properties at the server startup by default. As seen below, it keeps the TLS V1.0 and V1.1 protocol enabled.
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, MD5withRSA
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, MD5
The above default values apply to WebSphere v9.0 and later and WebSphere 22.214.171.124 and later. The default values are likely to change in the future to enforce higher level of security.
If these setting need to be customized, please refer to "com.ibm.websphere.tls.disabledAlgorithms" and "com.ibm.websphere.certpath.disabledAlgorithms" in the "Security custom properties" article for WebSphere V8.5.5 and the one for WebSphere V9.0.
WebSphere 126.96.36.199 and 188.8.131.52 introduces new warning messages that print the list of SSL configuration using TLS V1.0 or TLS V1.1.
CWPKI0317W provides the list of SSL configurations that are use TLSv1 or TLSv1.1.
CWPKI0318W provides the list of SSL configurations that use SSL_TLSv2 since the spanning protocol includes TLSv1 and TLSv1.1.
Both messages point to the following technote for administrators to review the migration process. How can I configure WebSphere Application Server SSL protocol to use TLSv1.2 ONLY?
Where do I download the IBM SDK Java?
IBM SDK Java for WebSphere can be downloaded from the following page: IBM SDK Java Technology Edition Version 8.0 for WebSphere Application Server V9 and WebSphere Liberty using Installation Manager
More information on the each Java fixpack can be found here: IBM SDK, Java Technology Edition 8 Service Refresh
Ready to migrate to Java 184.108.40.206?
Let us know your comments and questions. As always, thanks for using WebSphere!
More on SSL topics...
The readers of this blog may be interested in the recent SSL articles below: WebSphere Application Server 220.127.116.11 and earlier, 18.104.22.168 and earlier not accessible when FIPS is enabled on Java 22.214.171.124
A must read for the FIPS users on the Traditional WebSphere before upgrading Java version. TLSv1.3 in WebSphere Application Server
The IBM Community blog for the advanced users on the latest TLSv1.3 protocol topics.
Thanks to Keith Jabcuga, Ramakrishna Arika and Jackson Leonard for the featured technotes and the blog article. Thanks to Alaine Demyers for the review.