For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.


Configure MobileFirst Server to enable TLS V1.2

For MobileFirst Server to communicate with devices that support only Transport Layer Security v1.2 (TLS) V1.2, among the SSL protocols, we must complete the following instructions.


Overview

The steps to configure MobileFirst Server to enable Transport Layer Security (TLS) V1.2 depend on how MobileFirst Server connects to devices.

Parent topic: Configuring MobileFirst Server


Apache Tomcat


Procedure

  1. Confirm that the Java™ Runtime Environment (JRE) supports TLS V1.2.

    Ensure that you have one of the following JRE versions:

    • Oracle JRE 1.7.0_75 or later
    • Oracle JRE 1.8.0_31 or later
  2. Edit the conf/server.xml file and modify the <Connector> element that declares the HTTPS port so that the sslEnabledProtocols attribute has the following value:

    sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"


WebSphere Application Server Liberty profile


Procedure

  1. Confirm that the Java Runtime Environment (JRE) supports TLS V1.2.
    • If we use an IBM Java SDK, ensure that your IBM Java SDK is patched for the POODLE vulnerability. We can find the minimum IBM Java SDK versions that contain the patch for our version of WebSphere Application Server in Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566).

      Note: We can use the versions that are listed in the security bulletin or later versions.

    • If we use an Oracle Java SDK, ensure that you have one of the following versions:

      • Oracle JRE 1.7.0_75 or later
      • Oracle JRE 1.8.0_31 or later
  2. If we use an IBM Java SDK, edit the server.xml file.
    1. Add the following line:

      <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL_TLSv2"/>

    2. Add the sslProtocol="SSL_TLSv2" attribute to all existing <ssl> elements.


WebSphere Application Server full profile


Procedure

  1. Confirm that the Java Runtime Environment (JRE) supports TLS V1.2.

    Ensure that your IBM Java SDK is patched for the POODLE vulnerability. We can find the minimum IBM Java SDK versions that contain the patch for our version of WebSphere Application Server in Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566).

    Note: We can use the versions that are listed in the security bulletin or later versions.

  2. Log in to WebSphere Application Server administrative console, and click Security > SSL certificate and key management > SSL configurations.
  3. For each SSL configuration listed, modify the configuration to enable TLS V1.2.
    1. Select an SSL configuration and then, under Additional Properties, click Quality of protections (QoP) settings.
    2. From the Protocol list, select SSL_TLSv2.
    3. Click Apply and then save the changes.