IBM released the “How to Force IBM Connections 5.5 CR1 to Use TLSv1.2” (the Technote was removed, you will now find it here) Technote about 4 months ago. Around this time, I started trying to get a full-blown Connections environment working with TLS 1.2 only configuration. Mainly because of an issue with the RTE widget (See Ben’s blog post for more information). Unfortunately, some other stuff wasn’t working as expected. After some analysis, we decided to create a handful PMRs. Ben posted a second blog post with some more details about the issues. In this post, I would like to provide an update and some more information about the problems and possible solutions.
To use TLS 1.2 only with Connections you need following requirements:
- Connections 5.5 CR1 or CR2
- WebSphere Application Server 18.104.22.168 (or 22.214.171.124)
- Configure WebSphere and Connections as described in the
- Apply LO89164 (which solves the RTE Widget issue; it is included in CR2)
If you are using the Typeahead search (Solr) please make sure to use a JRE which supports TLS 1.2. Based on your JRE version you may need to enable TLS 1.2.
I found an issue which is related to the Community catalog seedlist url. When using TLS 1.2 only, Communities is unable to retrieve the seedlist which preventing the application from updating the catalog.
I opened a PMR (59299,021,724) for this issue but it’s still not solved. Please let me know if you have the same issue.
To fix this issue you should use “https://localhost” as catalog seedlist url. This will force Connections to use an internal call which isn’t HTTP based. This configuration will also work in multi-node environments.
When enabling TLS 1.2 only, the Textbox.io spellchecking service will not work anymore. Ephox and IBM analyzed the issue and provided a fixed version. Please refer to PMR 58877,021,724 to get the fixed Textbox.io spellchecking version. Please have a look into the provided documentation because you need to reconfigure the allowed origins configuration.
The fixes are included in the Editor version which is provided with CR2. The spell checking service is working as usual.
The Forms Experience Builder version which is deployed with Connections 5.5 is unable to connect to the Connections directory service using TLS 1.2. IBM built a fixed version. Please refer to PMR 58885,021,724 to get the fixed FEB version. Please have a look into the provided documentation because you need to reconfigure the widgets (context root is changed with the new version).
The Connections Surveys version which is delivered with CR2 fixes the TLS 1.2 issue. Unfortunately, it seems that there are some other problems related to the access management. I created a PMR and IBM is working on this.
Connections Content Manager
The Connections Content Manager widget itself is working without any problem. But I’m unable to connect into my environment using the FileNet Configuration Manager, which is needed for the installation and any updates. After debugging some stuff, I recognized that the Config Manager forces a TLS 1.0 connection which is not possible anymore.
I opened a PMR (58886,021,724) for this issue but it’s still not solved. Please let me know if you have the same problem. FileNet Config Manager will support TLS 1.2 in future versions. This version may also be supported by Connections in the future. Meanwhile, you could reconfigure the QoP settings while using the Config Manager or using “SSL_TLSv2” as QoP setting the whole time (This will also enable SSLv3!).
When enabling TLS 1.2 only you will be unable to publish new versions. Currently, there is no fixed version available. A solution would be to exclude /docs from your SSL redirect within your IHS configuration. In this case, Docs will use a non-SSL connection.
Please install at least Docs 2 CR1 iFix 7 to prevent issues related to a TLS 1.2 only configuration.
Updated on 16/11/09:
- Included PMR number for the community catalog issue
- Included PMR number for the CCM/FileNet ConfigMgr issue
- Included information about Typeahead search
Update on 16/11/11:
- Included CR2 information
Update on 16/12/05:
- Included Community Catalog fix
Update on 16/12/07:
- Included information about possible TLS 1.2 support in a future version of FileNet Config Manager
Update on 17/02/01
- Included Docs issues
- Included new Technote/Knowledge Center link
Update on 17/04/13
- Included Docs 2 CR1 iFix 7