How To
Summary
By default IBM Workload Scheduler is configured to use SSLv3 encryption, and should be reconfigured to use TLSv1.2.
Environment
All Tivoli Workload Scheduler 8.6.0 and later workstations can be configured to use TLSv1 in place of SSLv3.
In order to enforce TLSv1.2 for Dynamic Agents, and IBM Workload Scheduler Engine WAS and Dynamic Workload Console WAS instances, you need the following minimum FixPack levels :
IWS 9.4.0. FixPack 01
IWS 9.3.0 FixPack 03
Steps
Dynamic Workload Console
For the Dynamic Workload Console WAS instance
- From the DWC launch the Admin Console, then navigate to:
Security ->
SSL certificate key management ->
SSL configurations ->
NodeDefaultSSLSettings ->
Quality of protection (QoP) settings
Change the Protocol value to TLSv1.2.
Apply and save the change.
Confirm the change is successful by connecting to the DWC using Firefox, click on the green padlock, then click on ">" to the right of the server name, and select "More information". You will be able to see in the Technical details section that the connection is encrypted and using TLSv1.2.
If WAS Admin Console cannot be used (root user is needed to manually update):
The only file that is updated by changing the Protocol in QoP settings is security.xml.
Location: <JazzSMHome>/profile/config/cells/JazzSMNode01Cell/security.xml
Original values:
<setting xmi:id="SecureSocketLayer_JazzSMNode01_1" clientAuthentication="false" securityLevel="HIGH" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="SSL_TLS" ...
Updated values:
<setting xmi:id="SecureSocketLayer_JazzSMNode01_1" clientAuthentication="false" securityLevel="HIGH" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="TLSv1.2" ...
- Edit the file ssl.client.props found in the directory
JazzSM/profile/properties, and set the com.ibm.ssl.protocol=
parameter as follows:
com.ibm.ssl.protocol=TLSv1.2
Save the file.
Confirm that you are able to successfully stop and restart the DWC by running the following commands from the DWChome/wastools directory:
# ./ stopWas.sh -direct -user DWCuser -password password
# ./ startWas.sh -direct
IBM Workload Scheduler
For the IWS Engine WAS instance, the procedure is fundamentally the same.
- Launch the Admin console
( https:// hostname:adminsecureport /ibm/console ), then make the same change as (1) above except you will need to change the Protocol value for both:
NodeDefaultSSLSettings ->
Quality of Protection (QoP) settings
TWSNode/DefaultSSLSettings ->
Quality of Protection (QoP) settings
If WAS Admin Console cannot be used (root user is needed to manually update):
The only file that is updated by changing the Protocol in QoP settings is security.xml.
Location: <TWAHome>/TWA/WAS/TWSProfile/config/cells/TWSNodeCell/security.xml
For NodeDefaultSSLSettings:
Original values:
<setting xmi:id="SecureSocketLayer_TIPNode_1" clientAuthentication="false" securityLevel="HIGH" enableCryptoHardwareSupport="false" enabledCiphers="" jsseProvider="IBMJSSE2" clientAuthenticationSupported="true" sslProtocol="SSL_TLS" ...
Updated values:
<setting xmi:id="SecureSocketLayer_TIPNode_1" clientAuthentication="false" securityLevel="HIGH" enableCryptoHardwareSupport="false" enabledCiphers="" jsseProvider="IBMJSSE2" clientAuthenticationSupported="true" sslProtocol="TLSv1.2" ...
For TWSNode/DefaultSSLSettings
Original values:
<setting xmi:id="SecureSocketLayer_1268732041984" clientAuthentication="false" securityLevel="HIGH" enableCryptoHardwareSupport="false" keyStore="KeyStore_TIPNode_1" trustStore="KeyStore_TIPNode_2">
Updated values (notice that there are three new parameters added):
<setting xmi:id="SecureSocketLayer_1268732041984" clientAuthentication="false" securityLevel="HIGH" enableCryptoHardwareSupport="false" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="TLSv1.2" keyStore="KeyStore_TIPNode_1" trustStore="KeyStore_TIPNode_2">
- Stop WAS
- Edit the ssl.client.props file in both the IWAhome/WAS/TWSProfile/pro
perties and IWAhome/WAS/TWSProfile/temp directories setting as (2) above:
com.ibm.ssl.protocol=TLSv1.2
- Restart WAS
- Edit localopts and change the following parameters to:
SSL Encryption Cipher =TLSv1.2
CLI SSL cipher =TLSv1.2
Confirm the change is successful by running:
$ openssl s_client -tls1_2 -connect hostname:31116 |grep Protocol
Substitute the port (31116), if your WAS instance is configured to listen on a different port.
Within the output, you are looking for is the "Protocol" and "Cipher" entries, for example:
Protocol : TLSv1.2
Note that if the Cipher returned is "0000", then a TLSv1.2 connection failed, otherwise TLSv1.2 was successfully negotiated.
Cipher : DHE-RSA-AES128-GCM-SHA256
On each Fault Tolerant Agent (FTA) and Standard Agent (S-Agent) :
- Edit the localopts file and to set:
SSL Encryption Cipher =TLSv1.2
CLI SSL cipher =TLSv1.2
- Restart the IWS processes including netman and monman.
On each Dynamic Agent (DA):
- Edit the file <TWAHome>/ITA/cpa/ita/ita.ini insert the following in the [ITA SSL] section:
sslv3_cipher = NONE
tls10_cipher = NONE
tls11_cipher = NONE
tls12_cipher = DFLT
- Restart the Dynamic Agent:
$ ShutDownLwa
$ StartUpLwa
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSGSPN","label":"IBM Workload Scheduler"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"8.6.0;9.1.0;9.2.0;9.3.0;9.4.0","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]
Was this topic helpful?
Document Information
Modified date:
13 September 2019
UID
ibm10788015