For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

Configure MobileFirst Server to enable TLS V1.2

For MobileFirst Server to communicate with devices that support only Transport Layer Security v1.2 (TLS) V1.2, among the SSL protocols, we must complete the following instructions.

The steps to configure MobileFirst Server to enable Transport Layer Security (TLS) V1.2 depend on how MobileFirst Server connects to devices.

• If MobileFirst Server is behind a reverse proxy that decrypts SSL-encoded packets from devices before it passes the packets to the application server, we must enable TLS V1.2 support on your reverse proxy. If we use IBM® HTTP Server as your reverse proxy, see Securing IBM HTTP Server for instructions.
• If MobileFirst Server communicates directly with devices, the steps to enable TLS V1.2 depend on whether your application serveris Apache Tomcat, WebSphere® Application Server Liberty profile, or WebSphere Application Server full profile.

Parent topic: Configure MobileFirst Server

Apache Tomcat

Procedure

1. Confirm that the Java™ Runtime Environment (JRE) supports TLS V1.2.

   Ensure that you have one of the following JRE versions:

   • Oracle JRE 1.7.0_75 or later
   • Oracle JRE 1.8.0_31 or later

2. Edit the conf/server.xml file and modify the <Connector> element that declares the HTTPS port so that the sslEnabledProtocols attribute has the following value:

   sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"

WebSphere Application Server Liberty profile

Procedure

1. Confirm that the Java Runtime Environment (JRE) supports TLS V1.2.
   • If we use an IBM Java SDK, ensure that your IBM Java SDK is patched for the POODLE vulnerability. We can find the minimum IBM Java SDK versions that contain the patch for our version of WebSphere Application Server in Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566).

     Note: We can use the versions that are listed in the security bulletin or later versions.

   • If we use an Oracle Java SDK, ensure that you have one of the following versions:
     • Oracle JRE 1.7.0_75 or later
     • Oracle JRE 1.8.0_31 or later

2. If we use an IBM Java SDK, edit the server.xml file.
   1. Add the following line:

      <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="SSL_TLSv2"/>

   2. Add the sslProtocol="SSL_TLSv2" attribute to all existing <ssl> elements.

WebSphere Application Server full profile

Procedure

1. Confirm that the Java Runtime Environment (JRE) supports TLS V1.2.

   Ensure that your IBM Java SDK is patched for the POODLE vulnerability. We can find the minimum IBM Java SDK versions that contain the patch for our version of WebSphere Application Server in Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566).

   Note: We can use the versions that are listed in the security bulletin or later versions.

2. Log in to WebSphere Application Server administrative console, and click Security > SSL certificate and key management > SSL configurations.
3. For each SSL configuration listed, modify the configuration to enable TLS V1.2.
   1. Select an SSL configuration and then, under Additional Properties, click Quality of protections (QoP) settings.
   2. From the Protocol list, select SSL_TLSv2.
   3. Click Apply and then save the changes.