Using TLS 1.2 only configuration with IBM Connections 5.5

connections cnx

IBM released the “How to Force IBM Connections 5.5 CR1 to Use TLSv1.2” (the Technote was removed, you will now find it here) Technote about 4 months ago. Around this time, I started trying to get a full-blown Connections environment working with TLS 1.2 only configuration. Mainly because of an issue with the RTE widget (See Ben’s blog post for more information). Unfortunately, some other stuff wasn’t working as expected. After some analysis, we decided to create a handful PMRs. Ben posted a second blog post with some more details about the issues. In this post, I would like to provide an update and some more information about the problems and possible solutions.

Connections itself

To use TLS 1.2 only with Connections you need following requirements:

  • Connections 5.5 CR1 or CR2
  • WebSphere Application Server 8.5.5.8 (or 8.5.5.9)
  • Configure WebSphere and Connections as described in the Technote Knowledge Center
  • Apply LO89164 (which solves the RTE Widget issue; it is included in CR2)

If you are using the Typeahead search (Solr) please make sure to use a JRE which supports TLS 1.2. Based on your JRE version you may need to enable TLS 1.2.

Community Catalog

I found an issue which is related to the Community catalog seedlist url. When using TLS 1.2 only, Communities is unable to retrieve the seedlist which preventing the application from updating the catalog. I opened a PMR (59299,021,724) for this issue but it’s still not solved. Please let me know if you have the same issue.

To fix this issue you should use “https://localhost” as catalog seedlist url. This will force Connections to use an internal call which isn’t HTTP based. This configuration will also work in multi-node environments.

Textbox.io

CR1

When enabling TLS 1.2 only, the Textbox.io spellchecking service will not work anymore. Ephox and IBM analyzed the issue and provided a fixed version. Please refer to PMR 58877,021,724 to get the fixed Textbox.io spellchecking version. Please have a look into the provided documentation because you need to reconfigure the allowed origins configuration.

CR2

The fixes are included in the Editor version which is provided with CR2. The spell checking service is working as usual.

Surveys

CR1

The Forms Experience Builder version which is deployed with Connections 5.5 is unable to connect to the Connections directory service using TLS 1.2. IBM built a fixed version. Please refer to PMR 58885,021,724 to get the fixed FEB version. Please have a look into the provided documentation because you need to reconfigure the widgets (context root is changed with the new version).

CR2

The Connections Surveys version which is delivered with CR2 fixes the TLS 1.2 issue. Unfortunately, it seems that there are some other problems related to the access management. I created a PMR and IBM is working on this.

Connections Content Manager

The Connections Content Manager widget itself is working without any problem. But I’m unable to connect into my environment using the FileNet Configuration Manager, which is needed for the installation and any updates. After debugging some stuff, I recognized that the Config Manager forces a TLS 1.0 connection which is not possible anymore. I opened a PMR (58886,021,724) for this issue but it’s still not solved. Please let me know if you have the same problem. FileNet Config Manager will support TLS 1.2 in future versions. This version may also be supported by Connections in the future. Meanwhile, you could reconfigure the QoP settings while using the Config Manager or using “SSL_TLSv2” as QoP setting the whole time (This will also enable SSLv3!).

Docs

When enabling TLS 1.2 only you will be unable to publish new versions. Currently, there is no fixed version available. A solution would be to exclude /docs from your SSL redirect within your IHS configuration. In this case, Docs will use a non-SSL connection.

Please install at least Docs 2 CR1 iFix 7 to prevent issues related to a TLS 1.2 only configuration.

Updated on 16/11/09:

  • Included PMR number for the community catalog issue
  • Included PMR number for the CCM/FileNet ConfigMgr issue
  • Included information about Typeahead search

Update on 16/11/11:

  • Included CR2 information

Update on 16/12/05:

  • Included Community Catalog fix

Update on 16/12/07:

  • Included information about possible TLS 1.2 support in a future version of FileNet Config Manager

Update on 17/02/01

  • Included Docs issues
  • Included new Technote/Knowledge Center link

Update on 17/04/13

  • Included Docs 2 CR1 iFix 7

 

7 thoughts on “Using TLS 1.2 only configuration with IBM Connections 5.5”

  1. Hi, I saw your blog and wanted to let you know that I was able to resolve the publish issue with TLSv1.2 in Docs. There is an additional step necessary in the WAS configuration for TLS 1.2 with Docs.

    https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_transition_sp300.html
    Note: In step 3, select Strict, not transition.
    In step 17b, update ssl.client.props and set com.ibm.websphere.security.FIPSLevel=SP800-131.

    Those test steps requires all SSL certificates to be at least SHA256. In my environment the IHS server’s certificate was lower than that, so I had to update my IHS certificates as well. When I did, I chose a certificate 4096 in size, which cause issues in Connections, and I needed to apply Unrestricted JCE policy File as detailed in the following technote:

    http://www-01.ibm.com/support/docview.wss?uid=swg21663373

    Not sure if you will run into this, but thought I’d pass it along just in case. Let me know if you run into any issues with this. Great write up on all the steps and fixes needed, I should have written that all up a long time ago.
    Thanks,
    Charlie

      1. Hi Nico, another update. Using strict FIPS is a bit of an overkill for this issue, so the Docs team has developed a fix. It seems to be working well, so you should be able to open a pmr and get the fix. It should be available, if you mention my name in the pmr I can help get the fix to you if needed.
        Thanks,
        Charlie

  2. With IC55CR3 and Docs 2.0 CR2 these are my findings.

    There are still two pending technotes related to IC55 and enforcing TLS 1.2

    LO92688: COMMUNITY CATALOG ERRORS WITH TLS 1.0 DISABLED (IC 5.5)

    http://www.ibm.com/support/docview.wss?uid=swg1LO92688&myns=swglotus&mynp=OCSSYGQH&mync=R&cm_sp=swglotus-_-OCSSYGQH-_-R

    LO92648: URL PREVIEWER NOT SUPPORTING WHEN TLS1.0 DISABLED

    https://www-304.ibm.com/support/entdocview.wss?uid=swg1LO92648&myns=swglotus&mynp=OCSSYGQH&mync=R&cm_sp=swglotus-_-OCSSYGQH-_-R

    The rest of the functionality of Connections seems to work okay. Including polls & surveys ( running the version
    as required for CR2 ).

    For Docs CR2 goes that your require at least iFix001 to get TLS 1.2 support.

    http://www-01.ibm.com/support/docview.wss?uid=swg22002672

Leave a Reply

Your email address will not be published. Required fields are marked *