| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| TLS 1.0 support in ACE 11.0.0.4 |
« View previous topic :: View next topic » |
| Author |
Message
|
| aurobindadev |
 Posted: Sun Sep 29, 2019 10:17 am Post subject: TLS 1.0 support in ACE 11.0.0.4 |
 |
|
Newbie
Joined: 29 Sep 2019
Posts: 2
Location: London, UK
|
Hi All,
In one of recent engagements, customer is migrating IIB v9 to ACE v11 fix pack 4(11.0.0.4). ACE 11.0.0.4 default TLS protocol is TLS 1.2 but there are certain REST applications who are yet to migrate from TLS 1.0 to TLS 1.2.
Hence customer is looking for workaround options to enable TLS 1.0 support for an interim period.
When I looked at knowledge center, previous versions of IIB such as v10 and v9 can achieve this using sslProtocol property at node or server level. For example in IIB v10 node level, if I do a mqsireportproperties
| Code: |
C:\Program Files\IBM\IIB\10.0.0.15>mqsireportproperties TESTNODE_amahapatra -b httplistener -o HTTPSConnector -n sslProtocol
TLS
BIP8071I: Successful command completion. |
Now if I try the same in ACE 11.0.0.4
| Code: |
C:\Program Files\IBM\ACE\11.0.0.4>mqsireportproperties ACENODE01 -b httplistener -o HTTPSConnector -n sslProtocol
BIP8829E: Invalid property name 'sslProtocol' specified.
Property names must be valid XML element or XML attribute names.
Correct and reissue the command. |
When I went through knowledge center, I found out this workaround of setting TLS protocol is possible using IBM JSSE as mentioned in following link
| Code: |
com.ibm.jsse2.overrideDefaultProtocol=<option>
Where <option> sets the default enabled protocol to one of the following values:
SSLv3: sets SSL V3.0 (See Note)
SSL_TLS: sets SSL V3.0 (See Note) and TLS 1.0
SSL_TLSv2: sets SSL V3.0 (See Note), TLS 1.0, TLS 1.1, and TLS 1.2
TLS: sets TLS 1.0
TLSv1: sets TLS 1.0
TLSv11: sets TLS 1.1
TLSv12: sets TLS 1.2
If a value is not set, the system default SSL protocol is used. |
Please can someone share their experience on how TLS protocol could be downgraded from TLS 1.2 to TLS 1.0 in ACE 11.0.0.4.
If this question has already been answered, apologies and please guide me in the right direction.
Thanks! |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Sun Sep 29, 2019 11:35 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20729
Location: LI,NY
|
There is no reason why TLS1.1 and below should be supported at all in ACE11. TLS1.1 is deprecated and the only cryptographic algorithms that should be allowed are those of TLS1.2 and above.
The question you should ask yourself is not how do I downgrade to a lower version of TLS, but how do I upgrade the clients to work with TLS 1.2 and above... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| aurobindadev |
| Posted: Sun Sep 29, 2019 11:42 am Post subject: |
|
|
Newbie
Joined: 29 Sep 2019
Posts: 2
Location: London, UK
|
I completely agree and customer is aware of the fact they need to upgrade the clients to TLS 1.2. They are just reviewing all options to take an informed decision.
My question is rather on technical side - whether downgrading TLS version is supported or not. If it is supported in ACE, how to achieve it using OOTB features rathern than setting a system variable using IBM JSSE.
This feature is allowed in IIB v10 using sslProtcol property but I am unable to find that property in ACE v11 or I maybe looking at the wrong place. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
