Tivoli Monitoring v6.3.0.7 TLS v1.2 only configuration for TEP, IHS, TEPS, TEPS e/WAS components and e/WAS default certificate renewal - IBM
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Tivoli Monitoring v6.3.0.7
TLS v1.2 only configuration for
TEP, IHS, TEPS, TEPS e/WAS components
and e/WAS default certificate renewal
(revision 2.11 May 2020)
Document Owners:
Jens Helbig
Tim Land
Aaron Schwartz
Terry Wright
Ragu Srinivasan
© Copyright International Business Machines Corporation 2020. All rights reserved. US Government
Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.Table of Contents
Introduction: ............................................................................................................................................3
Prerequisites ............................................................................................................................................3
Backup .....................................................................................................................................................3
Renew the default certificate ..................................................................................................................3
TLS v1.2 only configuration - TEP, IHS, TEPS, TEPS/eWAS components...................................................6
TEPS/eWAS ..........................................................................................................................................6
IHS........................................................................................................................................................9
TEPS ...................................................................................................................................................10
TEP Clients .........................................................................................................................................10
Java Web Start (JWS) client ...........................................................................................................10
Browser client................................................................................................................................12
Desktop client................................................................................................................................13
Appendix A. Additional Information....................................................................................................14
Appendix B Convert WebSphere default certificate from SHA-1 Hash to SHA-256 Hash ...................14
Troubleshooting.....................................................................................................................................17
Trace settings for both IHS and the TEPS/eWAS ................................................................................17
Unable to login to Tivoli Enterprise Portal (TEP) webstart client .......................................................17
2Introduction:
This document describes how the TEP, IHS, TEPS, TEPS e/WAS components needs to be
configured to use TLS v1.2 and the default certificate in the embedded e/WAS can be renewed.
This document does not replace the official Tivoli Monitoring documentation.
Prerequisites
IBM Tivoli Monitoring v6.3.0.7 and onwards
Backup
Before you begin, please be sure you have valid backup of:
Windows:
%CANDLE_HOME%\CNPSJ
%CANDLE_HOME%\IHS\conf\httpd.conf
%CANDLE_HOME%\CNPS\KFWENV
%CANDLE_HOME%\Config\tep.jnlpt
%CANDLE_HOME%\Config\component.jnlpt
%CANDLE_HOME%\CNB\applet.html.updateparams
%CANDLE_HOME%\CNP\kcjparms.txt
%CANDLE_HOME%\CNPSJ\java\jre\lib\security\java.security
LINUX/AIX
//iw/
//iu/ihs/HTTPServer/conf/httpd.conf
/config/cq.ini
/config/tep.jnlpt
/config/component.jnlpt
//cw/applet.html.updateparams
//cj/kcjparms.txt
//iw/java/jre/lib/security/java.security
Renew the default certificate
Before you begin, please take a backup of the e/WAS certificates files before switching from SSL to
TLSv1.2!
the e/WAS Certificate file location:
Windows:
%CANDLE_HOME%\CNPSJ\profiles\ITMProfile\config\cells\ITMCell\nodes\ITMNode\trust.p12
%CANDLE_HOME%\CNPSJ\profiles\ITMProfile\config\cells\ITMCell\nodes\ITMNode\key.p12
Linux/AIX:
//iw/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/trust.p12
//iw/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/key.p12
3Follow the 4-step procedure described in the following IBM KnowledgeCenter document to enable the
TEPS/e Administration Console:
https://www.ibm.com/support/knowledgecenter/de/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/adminuse/use
rauthenticate_tepse_consolestart.htm
After successfully logging into the TEPS/e Administration console, click the Security option from the
left-side navigation panel.
Click the SSL Certificate and Key Management link.
Click the Key stores and certificates link under Related items on the right side navigation panel.
Click the NodeDefaultKeyStore link. Do not select the check box before it. panel.
1. Click the Personal certificates link under Additional Properties on the right side navigation
panel.
2. Select the check box for the default certificate.
3. Select the Renew button.
4. Click the Save link in the new Messages box that appears.
5. Click Logout at the top right of the panel. Close the browser tab or window.
6. Copy the renewed default certificate back to the keyfile.kdb keystore by running the following
commands:
Windows:
set KEYKDB=%CANDLE_HOME%\\keyfiles\\keyfile.kdb
set
KEYP12=%CANDLE_HOME%\\CNPSJ\\profiles\\ITMProfile\\config\\cells\\ITMCell\\node
s\\ITMNode\\key.p12
set
TRUSTP12=%CANDLE_HOME%\\CNPSJ\\profiles\\ITMProfile\\config\\cells\\ITMCell\\no
des\\ITMNode\\trust.p12
GSKitcmd gsk8capicmd -cert -delete -db %KEYKDB% -stashed -label default
GSKitcmd gsk8capicmd -cert -delete -db %KEYKDB% -stashed -label root
GSKitcmd gsk8capicmd -cert -import -db %KEYP12% -pw WebAS -target %KEYKDB% -
target_stashed -label default -new_label default
GSKitcmd gsk8capicmd -cert -import -db %TRUSTP12% -pw WebAS -target %KEYKDB% -
target_stashed -label root -new_label root
Linux/AIX:
CH=/opt/IBM/ITM
IWDIR=$(ls -d $CH/[al]*/iw 2> /dev/null)
KEYKDB=$CH/keyfiles/keyfile.kdb
KEYP12=$IWDIR/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/key.p12
TRUSTP12=$IWDIR/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/trust.p12
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -delete -db $KEYKDB -stashed -
label default
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -delete -db $KEYKDB -stashed -
label root
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -import -db $KEYP12 -pw WebAS
-target $KEYKDB -target_stashed -label default -new_label default
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -import -db $TRUSTP12 -pw
WebAS -target $KEYKDB -target_stashed -label root -new_label root
47. Verify that the renewed default certificate is everywhere that it belongs by running the
following commands:
Windows:
set KEYKDB=%CANDLE_HOME%\\keyfiles\\keyfile.kdb
set
KEYP12=%CANDLE_HOME%\\CNPSJ\\profiles\\ITMProfile\\config\\cells\\ITMCell\\node
s\\ITMNode\\key.p12
set
TRUSTP12=%CANDLE_HOME%\\CNPSJ\\profiles\\ITMProfile\\config\\cells\\ITMCell\\no
des\\ITMNode\\trust.p12
GSKitcmd gsk8capicmd -cert -list -db %KEYKDB% -stashed -label default
GSKitcmd gsk8capicmd -cert -details -db %KEYKDB% -stashed -label default | findstr
"Serial Issuer Subject Not\ Before Not\ After"
GSKitcmd gsk8capicmd -cert -details -type p12 -db %KEYP12% -pw WebAS -label default |
findstr "Serial Issuer Subject Not\ Before Not\ After"
GSKitcmd gsk8capicmd -cert -details -db %KEYKDB% -stashed -label root | findstr
"Serial Issuer Subject Not\ Before Not\ After"
GSKitcmd gsk8capicmd -cert -details -type p12 -db %TRUSTP12% -pw WebAS -label root |
findstr "Serial Issuer Subject Not\ Before Not\ After"
Linux/AIX:
CH=/opt/IBM/ITM
IWDIR=$(ls -d $CH/[al]*/iw 2> /dev/null)
KEYKDB=$CH/keyfiles/keyfile.kdb
KEYP12=$IWDIR/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/key.p12
TRUSTP12=$IWDIR/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/trust.p12
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -list -db $KEYKDB -stashed -
label default
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -details -db $KEYKDB -stashed
-label default | egrep 'Serial|Issuer|Subject|Not Before|Not After’
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -details -db $KEYP12 -pw WebAS
-label default | egrep 'Serial|Issuer|Subject|Not Before|Not After’
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -details -db $KEYKDB -stashed
-label root | egrep 'Serial|Issuer|Subject|Not Before|Not After’
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -details -db $TRUSTP12 -pw
WebAS -label root | egrep 'Serial|Issuer|Subject|Not Before|Not After’
8. Restart the TEPS
1.
5TLS v1.2 only configuration - TEP, IHS, TEPS, TEPS/eWAS components
The change for TLS v1.2 must be made on all components!
TEPS/eWAS
The configuration changes for the TEPS/eWAS component to support TLS v1.2 require use of the
TEPS/e Administration console. However, to enable this console application to operate over TLS
v1.2, you must first update one of the property files associated with the ITM Profile associated with
the TEPS/eWAS; this update is covered by the first four steps listed below.
1. Follow the 4-step procedure described in the following IBM Knowledge Center document to
enable the TEPS/e Administration Console:
https://www.ibm.com/support/knowledgecenter/de/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/adminuse/use
rauthenticate_tepse_consolestart.htm
2. After successfully logging into the TEPS/e Administration console, click the Security option
from the left-side navigation panel.
3. Click the SSL Certificate and Key Management link.
4. Click the SSL Configurations under the "Related Items" section on the right-side navigation
panel.
5. Click the NodeDefaultSSLSettings entry found in the table.
6. Under the Additional Properties section found on the right-side navigation panel, click the
Quality of Protection (QoP) link.
7. From the Protocol drop-down list found in the panel, select the entry TLSv1.2.
8. Click the OK button near the bottom of the panel.
9. Click the Save link near the top of the panel to save the configuration changes.
10. add the custom property com.ibm.websphere.tls.disabledAlgorithms in the eWAS as well.
11. Security > Global security > Custom properties
12. Select New in the box labled Name add com.ibm.websphere.tls.disabledAlgorithms
13. in the box labeled Value enter none
14. Click the OK button near the bottom of the panel.
15. Click the Save link near the top of the panel to save the configuration changes.
16. Logout from the TEPS/e Administration Console
6When you now disable the TEPS/e Administration Console running the command:
/opt/IBM/ITM/lx8266/iw/scripts/enableISCLite.sh false
You will prompt for the *** SSL SIGNER EXCHANGE PROMPT ***
SSL signer from target host 127.0.0.1 is not found in trust store /opt/IBM/ITM/aix536/iw/profiles/ITMProfile/etc/trust.p12.
Here is the signer information (verify the digest value matches what is displayed at the server):
Subject DN: CN=lparaix18, OU=ITMCell, OU=ITMNode, O=IBM, C=US
Issuer DN: CN=lparaix18, OU=Root Certificate, OU=ITMCell, OU=ITMNode, O=IBM, C=US
Serial number: 2160238675377148
Expires: Fri May 07 13:15:48 BST 2021
SHA-1 Digest: 3E:4C:90:82:2A:7F:B1:1A:09:21:12:D0:C6:A6:61:C9:6F:51:BA:7B
MD5 Digest: E9:4E:67:2B:F0:A7:71:3D:0C:81:F0:44:A0:D8:05:E5
Subject DN: CN=lparaix18, OU=Root Certificate, OU=ITMCell, OU=ITMNode, O=IBM, C=US
Issuer DN: CN=lparaix18, OU=Root Certificate, OU=ITMCell, OU=ITMNode, O=IBM, C=US
Serial number: 2160236409360156
Expires: Fri May 04 13:15:47 BST 2035
SHA-1 Digest: 3E:4C:90:82:2A:7F:B1:1A:09:21:12:D0:C6:A6:61:C9:6F:51:BA:7B
MD5 Digest: E9:4E:67:2B:F0:A7:71:3D:0C:81:F0:44:A0:D8:05:E5
Add signer to the trust store now? (y/n)
Please confirm this change with “y”!
17. Edit the following file located on the machine where the TEPS is installed (location depends
on the platform where the TEPS is installed):
Windows:
%CANDLE_HOME%\CNPSJ\profiles\ITMProfile\properties\ssl.client.props
Linux/AIX:
//iw/profiles/ITMProfile/properties/ssl.client.props
18. Locate the property named com.ibm.ssl.protocol. The value assigned to this property will
probably be SSL_TLS as follows:
com.ibm.ssl.protocol=SSL_TLS
19. Change the value assigned to the property above to the following:
com.ibm.ssl.protocol=TLSv1.2When you want to verify if the ITM eWAS is using TLSv1.2, you can run the following
Command:
openssl s_client -connect webspherehostname:consolesslport -tls1_2
an example would look like:
[root@ITM630HUBJ bin]# openssl s_client -connect 172.16.11.4:15206 -tls1_2
CONNECTED(00000003)
depth=1 C = US, O = IBM, OU = ITMNode, OU = ITMCell, OU = Root Certificate, CN =
ITM630HUBJ
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/O=IBM/OU=ITMNode/OU=ITMCell/CN=ITM630HUBJ
i:/C=US/O=IBM/OU=ITMNode/OU=ITMCell/OU=Root Certificate/CN=ITM630HUBJ
1 s:/C=US/O=IBM/OU=ITMNode/OU=ITMCell/OU=Root Certificate/CN=ITM630HUBJ
i:/C=US/O=IBM/OU=ITMNode/OU=ITMCell/OU=Root Certificate/CN=ITM630HUBJ
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIHGUe35gTYxjANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQG
EwJVUzEMMAoGA1UEChMDSUJNMRAwDgYDVQQLEwdJVE1Ob2RlMRAwDgYDVQQLEwdJ
VE1DZWxsMRkwFwYDVQQLExBSb290IENlcnRpZmljYXRlMRMwEQYDVQQDEwpJVE02
MzBIVUJKMB4XDTIwMDQwNDE5MzEwMFoXDTIxMDQwNDE5MzEwMFowVDELMAkGA1UE
BhMCVVMxDDAKBgNVBAoTA0lCTTEQMA4GA1UECxMHSVRNTm9kZTEQMA4GA1UECxMH
SVRNQ2VsbDETMBEGA1UEAxMKSVRNNjMwSFVCSjCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALEMVZ02A27n08B7gXpTHeeKaRBNTzgBluXLyh1VTzBCdLfx
V5KKwl3QWD3yJb8WU+qFIlBGmConELxEZUNG7UWEAAQb4dKAaJhR7ILQbCYdeKjV
gtoNVskMvu7E/TF1jBWDaeU6VMHkEee1SJAedqRh8hyHrWZJ1Rt80fDCfRqgfoI6
uGoDTs1orfuUyAuHNR9WRMaGerm6Yh9mS7WFAbPjbMTuD+6OC19ggIbvp8+tvftr
ZkL0tK6rrVZQWpg/zyUUtPPF/lrm/6tnVIQJir8oObI4DUq0PuI/fV3JpNZ/xpXS
NrnRW/EV9eG/KlsYOIvszmsASaZxjlJgRr/VvsECAwEAAaNiMGAwSwYDVR0RBEQw
QoFAUHJvZmlsZVVVSUQ6SVRNUHJvZmlsZS1CQVNFLTYwMDJkNWY1LTgwYjUtNDE5
My04NGVlLTY5YzBhMjRlZmNlNDARBgNVHQ4ECgQITXU7MIqD6wIwDQYJKoZIhvcN
AQEFBQADggEBAC5Kcf96d76J7B4BDr8UFMeSDdwb5H6arFRQaj3KNYDNB/8fEdMl
CeBq4YRFHeNaH8jKlQdYhcNggrne74ziMhKQydtsv1ADOeyrU6sUoUsCtQ1FxGWR
aBEV8xCEq+HJ5DiuvEgw0eAtNQL5UDIrNNNpyutodZHEVm9OqwxT6qeo46+ZcnXz
5uoO22+ErOebYVE8Ns4kjhFWgjUxPu2svUnxNBwnhhodbMJ8Ep8AK7utk9HQ3d3j
/hoWB+AwfLaTAeGvyUgrJd/mObEyIheYfk3y1AlVxfkGFwKJLrkaKs1u9ZTGgfVI
oaCUs8OLNwplK1wOh0m5L516uPXWVIHUKKw=
-----END CERTIFICATE-----
subject=/C=US/O=IBM/OU=ITMNode/OU=ITMCell/CN=ITM630HUBJ
issuer=/C=US/O=IBM/OU=ITMNode/OU=ITMCell/OU=Root Certificate/CN=ITM630HUBJ
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2600 bytes and written 437 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 5EBD6A9BF2A8BFB8A5EA6DB23DF54D45D0EA7D0A74BB6D33FD928E39527317D3
Session-ID-ctx:
Master-Key:
C41A8412B3542DA4BFCB70007EB174BFF50582EDD803E4268BA1995F8F6CC8D02F7C2DB7B60A3DD1398E4F440C
6C233F
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1589471899
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
closed
8IHS
The IBM HTTP Server (IHS) is used to route HTTP/HTTPS request traffic between programmatic
consumers of the TEPS (e.g., the TEP client) and the TEPS and/or TEPS/eWAS server components.
By default, port 15200 is used for HTTP requests; port 15201 is used for HTTPS requests. Assuming
that HTTPS requests are being used over port 15201, then the following configuration changes are
required to use the TLS v1.2 encryption protocol exclusively for secure communications:
1. Edit the following file on the machine where the TEPS is installed (location depends on the
platform where the TEPS is installed):
Windows:
%CANDLE_HOME%\IHS\conf\httpd.conf
Linux/AIX:
//iu/ihs/HTTPServer/conf/httpd.conf
2. Locate the following VirtualHost directive statement in the file:
3. Within the VirtualHost directive block found in step 2 above, change/add the following
SSLProtocol statements (only TLSv12 will be enabled):
SSLProtocolDisable SSLv2
SSLProtocolDisable SSLv3
SSLProtocolDisable TLSv10
SSLProtocolDisable TLSv11
SSLProtocolEnable TLSv12
SSLCipherSpec ALL -SSL_RSA_WITH_3DES_EDE_CBC_SHA
4. If the HTTPS protocol is being used exclusively (no HTTP traffic being allowed from remote
clients), then continue with the steps that follow for further modifications to the httpd.conf file. If,
however, HTTP traffic from remote clients will still be allowed, then the changes to the httpd.conf
file should now be saved; the configuration of the IHS component is now complete.
5. To restrict communications with IHS to port 15201 only for remote clients using the HTTPS
protocol, make sure there are no VirtualHost directives found in the httpd.conf file for any ports
other than 15201. In addition, make sure the ServerName directive is qualified by port 15201 as
follows:
ServerName :15201
6. Some ITM installation / configuration utilities and scripts that execute on the same machine as the
TEPS expect to be able to use the HTTP protocol over port 15200. To allow only localhost
access to the TEPS using HTTP over port 15200, the following Listen directive must be added to
the httpd.conf file:
Listen 127.0.0.1:15200
7. Save the changes to the httpd.conf file; the configuration of the IHS component is now complete.
9TEPS
1. Edit the following file on the machine where the TEPS is installed (location and file name depend
on the platform where the TEPS is installed):
Windows: %CANDLE_HOME%\CNPS\KFWENV
Linux/AIX: /config/cq.ini
2. Check if the following statements exist in the file. If they do not, then add them:
KFW_ORB_ENABLED_PROTOCOLS=TLS_Version_1_2_Only
KDEBE_TLS10_ON=NO
KDEBE_TLS11_ON=NO
KDEBE_TLSV12_CIPHER_SPECS=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_
AES_256_CBC_SHA
3. Save the file
4. Modify the java.security file
Windows:
%CANDLE_HOME%\CNPSJ\java\jre\lib\security\java.security
Linux/AIX:
//iw/java/jre/lib/security/java.security
add the following line to the bottom of the file:
jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, DESede, DES, RSA keySize < 2048
5. Save the file
6. Re-configure the TEPS
TEP Clients
The procedure for updating the TEP client configuration to support TLS v1.2 depends on the TEP
client deployment mode being used; there are 3 supported deployment modes: Java Web Start
(JWS), Browser, and Desktop. Configuration changes for the JWS and Browser modes are applied to
files located on the TEPS machine; configuration changes for the Desktop mode must be made to
each individual machine where the TEP Desktop client is installed.
Java Web Start (JWS) client
1. Edit the following file on the machine where the TEPS is installed (location depends on the
platform where the TEPS is installed):
Windows: %CANDLE_HOME%\Config\tep.jnlpt
Linux/AIX: /config/tep.jnlpt
102. Locate the codebase attribute statement. By default, the codebase attribute will be assigned the
following value:
codebase="http://$HOST$:$PORT$/">
3. Change the value assigned to the codebase attribute to the following value:
codebase="https://$HOST$:15201/">
4. Locate the comment statement. This statement marks the beginning
of the custom parameter section for the TEP JWS client
5. Add the following statements just after the comment statement located in the previous step:
6. Save the changes to the tep.jnlpt file.
7. Edit the following file found in the same directory on the TEPS machine where the tep.jnlpt file
was located:
Windows: %CANDLE_HOME%\Config\component.jnlpt
Linux/AIX: /config/component.jnlpt
8. Locate the codebase attribute statement. By default, the codebase attribute will be assigned the
following value:
codebase="http://$HOST$:$PORT$/">
9. Change the value assigned to the codebase attribute to the following value:
codebase="https://$HOST$:15201/">
10. Save the changes to the component.jnlpt file
11. Reconfigure the TEP JWS client:
If the TEPS is installed on Linux/AIX, issue the following command:
/bin/itmcmd config -A cw
If the TEPS is installed on Windows, perform the following procedure:
a) Open the MTEMS GUI (The stoplight icon on the Windows desktop) using the 'Run as
Administrator' option from the Windows desktop or Start menu.
b) Select the Tivoli Enterprise Portal Browser entry in the table.
c) Right-click on the entry and select the Reconfigure menu action.
12. On each workstation where the TEP JWS client is executed, clear the Java cache. Choose one
of the following procedures below for clearing the Java cache.
11From the command line, issue the following command (make sure that the directory from which
the following command is executed is associated with the Java installation used to execute the
TEP JWS client):
Windows: \javaws -uninstall
Linux/AIX: /bin/javaws -uninstall
13. From the Java Control Panel (GUI), use the following procedure (make sure the Java Control
Panel that is used is associated with the Java installation used to execute the TEP JWS client):
https://www.ibm.com/support/knowledgecenter/en/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/trouble/tools_j
arcacheclearing_trouble.htm
14. Check the JavaControl Panel if the TLS v1.2 is enabled:
Open the JavaControl Panel -> Advanced tab -> “Advanced Security Settings” -> and verify that
“Use TLS 1.2” is enabled.
In Oracle Sun JRE v8. The TLS 1.2 is enabled by default.
Click OK
Browser client
1. Edit the following file on the machine where the TEPS is installed (location depends on the
platform where the TEPS is installed):
Windows: %CANDLE_HOME%\CNB\applet.html.updateparams
Linux/AIX: //cw/applet.html.updateparams
2. Add the following statements to the end of the applet.html.updateparams file (each statement
below contains key, action, and value sections; each section is separated by a vertical bar
character)
tep.connection.protocol|override|'https'
tep.connection.protocol.url.port|override|'15201'
tep.sslcontext.protocol|override|'TLSv1.2'
3. Save the changes to the applet.html.updateparams file.
4. Reconfigure the TEP Browser client:
If the TEPS is installed on Linux/AIX, issue the following command:
/bin/itmcmd config -A cw
If the TEPS is installed on Windows, perform the following procedure:
a) Open the MTEMS GUI using the 'Run as Administrator' option from the Windows desktop or
Start menu.
b) Select the Tivoli Enterprise Portal Browser entry in the table.
c) Right-click on the entry and select the Reconfigure menu action.
5. On each workstation where the TEP Browser client is executed, clear the Java cache. Choose
one of the following procedures below for clearing the Java cache.
12From the command line, issue the following command (make sure that the directory from which
the following command is executed is associated with the Java installation used to execute the
TEP Browser client):
Windows: \bin\javaws -uninstall5. Use the following procedure to reconfigure the TEP Desktop client. Steps 3 and 4 in the following
support link are used to edit the values assigned to the selected parameters.
https://www.ibm.com/support/knowledgecenter/SSTFXA_6.3.0.1/com.ibm.itm.doc_6.3/adminuse/t
epparms_edit.htm
6. Below is a list of the parameters and values that need to be edited using the support link
referenced in the previous step (make sure that you also select the 'In Use' check box for each
parameter you edit):
parameter: tep.connection.protocol value: https
parameter: tep.connection.protocol.url.port value: 15201
parameter: tep.sslcontext.protocol value: TLSv1.2
7. As documented in the support link referenced above, when all the parameters have been edited,
click OK to save your changes. The changes will take effect the next time the TEP Desktop client
is launched.
Repeat all steps above for each TEP Desktop client installation in the Enterprise being connected to a
TEPS environment configured for TLS v1.2.
Appendix A. Additional Information
Please note: the following entry must be set in ALL TEMS and ALL agents!
1. Edit the following file on the machine where the TEMS or agents are installed (location and file
name depends on the platform where the TEMS and/or agents are installed):
Windows: %CANDLE_HOME%\*\KENV
Linux/AIX: /config/.ini
2. Check if the following statements exist in the file. If they do not, then add them.
KDEBE_TLS10_ON=NO
KDEBE_TLS11_ON=NO
KDEBE_TLSV12_CIPHER_SPECS=TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA
Appendix B Convert WebSphere default certificate from SHA-1 Hash to SHA-
256 Hash
Before you begin, please take a backup of the e/WAS certificates files before switching from SHA-1 to
SHA-256!
the e/WAS Certificate file location:
Windows:
%CANDLE_HOME%\CNPSJ\profiles\ITMProfile\config\cells\ITMCell\nodes\ITMNode\trust.p12
%CANDLE_HOME%\CNPSJ\profiles\ITMProfile\config\cells\ITMCell\nodes\ITMNode\key.p12
Linux/AIX:
//iw/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/trust.p12
//iw/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/key.p12
14Follow the 4-step procedure described in the following IBM KnowledgeCenter document to enable the
TEPS/e Administration Console:
https://www.ibm.com/support/knowledgecenter/de/SSTFXA_6.3.0.2/com.ibm.itm.doc_6.3fp2/admi
nuse/userauthenticate_tepse_consolestart.htm
After successfully logging into the TEPS/e Administration console, click the Security option from the
left-side navigation panel.
Click the SSL Certificate and Key Management link.
Click the Manage FIPS link on the right side navigation panel.
Click the Convert certificates link under Related Items on the right side navigation panel.
1. Select SHA256withRSA from the Strict pulldown menu in the Algorithm section.
2. Select 2048 from the New certificate key size pulldown menu.
3. Click the Apply button.
4. Click the Save link in the new Messages box that appears.
5. Click Logout at the top right of the panel. Close the browser tab or window.
6. When you now disable the TEPS/e Administration Console running the command:
/opt/IBM/ITM/lx8266/iw/scripts/enableISCLite.sh false
You will prompt for the *** SSL SIGNER EXCHANGE PROMPT ***
Please confirm this change with “y”!
7. Copy the Converted default and root certificates back to the keyfile.kdb keystore by running
the following commands:
Windows:
set KEYKDB=%CANDLE_HOME%\\keyfiles\\keyfile.kdb
set
KEYP12=%CANDLE_HOME%\\CNPSJ\\profiles\\ITMProfile\\config\\cells\\ITMCell\\node
s\\ITMNode\\key.p12
set
TRUSTP12=%CANDLE_HOME%\\CNPSJ\\profiles\\ITMProfile\\config\\cells\\ITMCell\\no
des\\ITMNode\\trust.p12
GSKitcmd gsk8capicmd -cert -delete -db %KEYKDB% -stashed -label default
GSKitcmd gsk8capicmd -cert -delete -db %KEYKDB% -stashed -label root
GSKitcmd gsk8capicmd -cert -import -db %KEYP12% -pw WebAS -target %KEYKDB% -
target_stashed -label default -new_label default
GSKitcmd gsk8capicmd -cert -import -db %TRUSTP12% -pw WebAS -target %KEYKDB% -
target_stashed -label root -new_label root
Linux/AIX:
CH=/opt/IBM/ITM
IWDIR=$(ls -d $CH/[al]*/iw 2> /dev/null)
KEYKDB=$CH/keyfiles/keyfile.kdb
KEYP12=$IWDIR/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/key.p12
TRUSTP12=$IWDIR/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/trust.p12
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -delete -db $KEYKDB -stashed -
label default
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -delete -db $KEYKDB -stashed -
label root
15CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -import -db $KEYP12 -pw WebAS
-target $KEYKDB -target_stashed -label default -new_label default
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -import -db $TRUSTP12 -pw
WebAS -target $KEYKDB -target_stashed -label root -new_label root
8. Verify that the converted default and root certificates are everywhere that they belongs by
running the following commands:
Windows:
set KEYKDB=%CANDLE_HOME%\\keyfiles\\keyfile.kdb
set
KEYP12=%CANDLE_HOME%\\CNPSJ\\profiles\\ITMProfile\\config\\cells\\ITMCell\\node
s\\ITMNode\\key.p12
set
TRUSTP12=%CANDLE_HOME%\\CNPSJ\\profiles\\ITMProfile\\config\\cells\\ITMCell\\no
des\\ITMNode\\trust.p12
GSKitcmd gsk8capicmd -cert -list -db %KEYKDB% -stashed -label default
GSKitcmd gsk8capicmd -cert -details -db %KEYKDB% -stashed -label default | findstr
"Serial Issuer Subject Not\ Before Not\ After"
GSKitcmd gsk8capicmd -cert -details -type p12 -db %KEYP12% -pw WebAS -label default |
findstr "Serial Issuer Subject Not\ Before Not\ After"
GSKitcmd gsk8capicmd -cert -details -db %KEYKDB% -stashed -label root | findstr
"Serial Issuer Subject Not\ Before Not\ After"
GSKitcmd gsk8capicmd -cert -details -type p12 -db %TRUSTP12% -pw WebAS -label root |
findstr "Serial Issuer Subject Not\ Before Not\ After"
Linux/AIX:
CH=/opt/IBM/ITM
IWDIR=$(ls -d $CH/[al]*/iw 2> /dev/null)
KEYKDB=$CH/keyfiles/keyfile.kdb
KEYP12=$IWDIR/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/key.p12
TRUSTP12=$IWDIR/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/trust.p12
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -list -db $KEYKDB -stashed -
label default
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -details -db $KEYKDB -stashed
-label default | egrep 'Serial|Issuer|Subject|Not Before|Not After’
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -details -db $KEYP12 -pw WebAS
-label default | egrep 'Serial|Issuer|Subject|Not Before|Not After’
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -details -db $KEYKDB -stashed
-label root | egrep 'Serial|Issuer|Subject|Not Before|Not After’
CANDLEHOME=$CH $CH/bin/GSKitcmd.sh gsk8capicmd_64 -cert -details -db $TRUSTP12 -pw
WebAS -label root | egrep 'Serial|Issuer|Subject|Not Before|Not After’
9. Edit plugin-cfg.xml file, and add the highlighted parameter StrictSecurity="true";
Windows: %CANDLE_HOME%\IHSPlugins\config\ITMWebServer\plugin-cfg.xml
Linux/AIX: //iu/ihs/Plugins/config/ITMWebServer/plugin-cfg.xml
10. Restart the TEPS
16Troubleshooting
Trace settings for both IHS and the TEPS/eWAS
For the TEPS/eWAS, they should use the TEPS/e Administration Console to set the trace options for
their run-time environment (they don't have to save these TEPS/eWAS tracing options in their
configuration).
Here are the steps to perform against the files on the TEPS machine:
1) Edit the httpd.conf file (see IHS 1.)
Locate the LogLevel directive in the file, and change the assigned value from “warn” to
“debug”
Save the changes to the file.
2) Edit the plugin-cfg.xml file. (see Appendix B 8.)
Locate the string "© Copyright IBM Corporation 2020
IBM United States of America
Produced in the United States of America
All Rights Reserved
The e-business logo, the eServer logo, IBM, the IBM logo, OS/390, zSeries, SecureWay, S/390,
Tivoli, DB2, Lotus and WebSphere are trademarks of International Business Machines Corporation in
the United States, other countries or both.
Lotus, Lotus Discovery Server, Lotus QuickPlace, Lotus Notes, Domino, and Sametime are
trademarks of Lotus Development Corporation and/or IBM Corporation.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the
United States, other countries or both.
Other company, product and service names may be trademarks or service marks of others.
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS AGENT “AS IS”
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply to you. Information
in this paper as to the availability of products (including portlets) was believed accurate as of the time
of publication. IBM cannot guarantee that identified products (including portlets) will continue to be
made available by their suppliers.
This information could include technical inaccuracies or typographical errors. Changes may be made
periodically to the information herein; these changes may be incorporated in subsequent versions of
the paper. IBM may make improvements and/or changes in the product(s) and/or the program(s)
described in this paper at any time without notice. Any references in this document to non-IBM Web
sites are provided for convenience only and do not in any manner serve as an endorsement of those
Web sites. The materials at those Web sites are not part of the materials for this IBM product and use
of those Web sites is at your own risk.
IBM may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not give you any license to these patents.
You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
4205 South Miami Boulevard
Research Triangle Park, NC 27709 U.S.A.
18You can also read
