Tag Archives: clm

Enable TLSv1.2 in CLM6 and LibertyProfile

By default on Liberty Profile only TLSv1 is enabled check by scanning port:

nmap –script ssl-enum-ciphers -p 9443 <hostname>

Starting Nmap 6.49BETA5 ( https://nmap.org ) at
Nmap scan report for fqdn.com (IP address)
Host is up (0.13s latency).
PORT STATE SERVICE
9443/tcp open tungsten-https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) – D
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) – A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange parameters of lower strength than certificate key
|_ least strength: D

Nmap done: 1 IP address (1 host up) scanned in 5.15 seconds

Edit the following file to enable TLSv1.2:
1. <JazzInstallationDir>/server/server.startup:

…Dcom.ibm.java.diagnostics.healthcenter.agent.port=1972″
JAVA_OPTS=”$JAVA_OPTS -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2″

Save and exit the file

2. <JazzInstallationDir>/server/liberty/servers/clm/server.xml:

<logging hideMessage=”SRVE9967W”/>

<ssl id=”defaultSSLConfig” keyStoreRef=”defaultKeyStore” sslProtocol=”SSL_TLSv2″ />

</server>

Save and exit the file

Start CLM server again and test protocols:

nmap –script ssl-enum-ciphers -p 9443 <hostname>

Starting Nmap 6.49BETA5 ( https://nmap.org ) at
Nmap scan report for fqdn.com (IP address)
Host is up (0.13s latency).
PORT STATE SERVICE
9443/tcp open tungsten-https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) – D
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) – A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange parameters of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) – D
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) – A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange parameters of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) – D
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) – A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) – A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) – A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) – A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Key exchange parameters of lower strength than certificate key
|_ least strength: D

Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds