A boring day ~ : SSL

Is TLS v1.2 supported in WebSphere Full Profile 7.0, 8.0, 8.5? What's minimum fix pack?

Answer: TLsv1.2 Suppport on V7.0.0.23 on wards TLsv1.2 Support on 8.0.0.3 onwards and 8.5.0.0.

TLS v1.2 supported in WebSphere with following JDK version. 7.0.0.23 comes JDK version as follows and TLSv1.2 supported SDK 6
(32-bit) pap3260sr10fp1-20120321_01(SR10 FP1)
(64-bit) pap6460sr10fp1-20120321_01(SR10 FP1)

8.0.0.3 comes with JDK version follows and TLSv1.2 supported
SDK 6.0.1 (J9 2.6)
(32-bit) pap3260_26sr1fp1-20120309_01(SR1 FP1)
(64-bit) pap6460_26sr1fp1-20120309_01(SR1 FP1)

8.5 comes with JDK version follows and TLSv1.2 supported
SDK 6.0.1 (J9 2.6)
(32-bit) pap3260_26sr2ifix-20120419_02(SR2+IV19661)
(64-bit) pap6460_26sr2ifix-20120419_02(SR2+IV19661)

This change allows TLS 1.1 and 1.2 to be configured at the webserver plugin in 8.0 and later on distributed platforms.

TLS 1.1 and 1.2 is not supported on zOS at this time.

Despite this APAR being listed in 7.0 fixpacks, 7.0 does not support TLs1.1 and TLS1.2 due to the use of GSKit V7.

WAS

Click Security > SSL configurations CellDefaultSSLsetting , NodedefaultSSLsetting and any other SSLConfig

1. Select each SSL Configuration described above, then click Quality of protection (QoP) settings under Additional Properties. 2. On the **Quality of protection (QoP)** settings panel, select TLSv1.2 from the pull-down list in the box named Protocol. change the protocol to TLSV1.2 3. update ssl.client.props This must be done for each **ssl.client.props** file under the following directories: For Node example WAS_install\profiles\AppSrv01\properties For DMGR example WAS_install\profiles\Dmgr01\properties **com.ibm.ssl.protocol=TLSv1.2** 4. stopNode.sh && stopManager.sh 5. startManager.sh 6. syncNode.sh dmgrhostname dmgrsoapport -username userid -password password 7. startNode.sh 8. Click Protocol : openssl s_client -connect webspherehostname:9443 -tls1_2

##openssl로 사설 인증서 만들기

Test Environment

Test OS : CentOS 7.2
Test Version : apache

###command line

[root@lopdzmb-web01 test]# openssl genrsa -des3 -out test.vn.key 2048..........................+++e is 65537 (0x10001)Enter pass phrase for test.vn.key:[root@lopdzmb-web01 test]# openssl genrsa -des3 -out test.vn.key 2048..........................+++e is 65537 (0x10001)Enter pass phrase for test.vn.key:-----Country Name (2 letter code) [XX]:VNPlease enter the following 'extra' attributesto be sent with your certificate request#개인키 패스워드 지우기#인증서 생성#openssl x509 -req -days 365 -in test.vn.csr -signkey test.vn.key -out test.vn.crt#개인키 확인[root@lopdzmb-web01 test]# cat test.vn.key | head -3-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEA9JYu6T71jmxqeu3rKhDL73sojqBSXJlmODPT3wEcdkoJwUl7#사설인증서 확인[root@lopdzmb-web01 test]# cat test.vn.csr | head -3-----BEGIN CERTIFICATE REQUEST-----MIIC3jCCAcYCAQAwZTELMAkGA1UEBhMCVk4xDjAMBgNVBAgMBUhhbm9pMQ4wDAYD#httpd.conf 설정SSLEngine on

openssl genrsa -des3 -out test.vn.key 2048

Generating RSA private key, 2048 bit long modulus
........+++
small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for test.vn.key:
Verifying - Enter pass phrase for test.vn.key:
#openssl req -new -key test.vn.key -out test.vn.csr
Generating RSA private key, 2048 bit long modulus
........+++


140564056057760:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for test.vn.key:
Verifying - Enter pass phrase for test.vn.key:
[root@lopdzmb-web01 test]# openssl req -new -key test.vn.key -out test.vn.csr
Enter pass phrase for test.vn.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.


State or Province Name (full name) []:Hanoi
Locality Name (eg, city) [Default City]:lotte
Organization Name (eg, company) [Default Company Ltd]:admin
Organizational Unit Name (eg, section) []:admin
Common Name (eg, your name or your server's hostname) []:*.test.vn
Email Address []:


A challenge password []:Admin12#$
An optional company name []:Admin12#$

#cp test.vn.key test.vn.key.old
#openssl rsa -in test.vn.key.old -out test.vn.key

[root@lopdzmb-web01 test]# openssl rsa -in test.vn.key.old -out test.vn.key
Enter pass phrase for test.vn.key.old:
writing RSA key

[root@lopdzmb-web01 test]# openssl x509 -req -days 365 -in test.vn.csr -signkey test.vn.key -out test.vn.crt
Signature ok
subject=/C=VN/ST=Hanoi/L=lotte/O=admin/OU=admin/CN=*.test.vn
Getting Private key

KwyUN+98KhWkbxBKX8slvaGmOPU6IBQAam2vXJf9mpbREfMPjYAE4MaSs5G1sjiP
VQQHDAVsb3R0ZTEOMAwGA1UECgwFYWRtaW4xDjAMBgNVBAsMBWFkbWluMRYwFAYD

SSLCertificateFile /etc/httpd/conf/test.vn.crt
SSLCertificateKeyFile /etc/httpd/conf/test.vn.key

### SSL Module Start ### NameVirtualHost 211.1.1.1:80 NameVirtualHost 211.1.1.1:443 LoadModule ibm_ssl_module modules/mod_ibm_ssl.so Listen 443 <VirtualHost ad1.test.com:80> # ServerAdmin webmaster@dummy-host.example.com DocumentRoot "C:/IBM/HTTPServer/htdocs" ServerName ad1.test.com # ErrorLog logs/dummy-host.example.com-error_log # CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> <VirtualHost ad1.test.com:443> SSLEnable SSLClientAuth none DocumentRoot "C:/IBM/HTTPServer/htdocs" ServerName ad1.test.com </VirtualHost> SSLDisable Keyfile "C:/IBM/kera.kdb" # End of example SSL configuration

A boring day ~

WebSphere TLS Clearing issues

Is TLS v1.2 supported in WebSphere Full Profile 7.0, 8.0, 8.5? What's minimum fix pack?

WAS

WEB

Plg

##openssl로 사설 인증서 만들기

SSL Setting

Popular Posts

Tags

Social Widget

Tags

전체 페이지뷰

이 블로그 검색

A boring day ~

WebSphere TLS Clearing issues

Is TLS v1.2 supported in WebSphere Full Profile 7.0, 8.0, 8.5? What's minimum fix pack?

WAS

WEB

Plg

##openssl로 사설 인증서 만들기

SSL Setting

Popular Posts

Tags

Social Widget

Tags

구독

전체 페이지뷰

이 블로그 검색