TLS 1.2 support and configuration

When the Service Manager web tier, the Mobility client, and SRC act as TLS/SSL servers, they use the Oracle or IBM Java virtual machine (JVM) that is required by your third-party web applications server to securely manage and connect incoming client requests that use TLS or SSL protocols. Examples of client requests include requests that originate from web browsers that are running on end-user’s workstations. Depending on the third-party web application server, these connections default to the highest supported version of the TLS/SSL protocol. We do not provide the software that hosts the Service Manager web tier, Mobility client, or SRC products; and it is this software that controls the specific TLS/SSL protocols that are used. As such, we recommend that you consult the vendor of your browser and third-party web application server (such as IBM Websphere and Apache Tomcat) for information about how to configure TLS 1.2.

As of Service Manager 9.41, the web tier, Mobility client and Windows client use TLS 1.2 by default.

The Service Manager server uses Java to securely manage and connect incoming client requests that use TLS and SSL protocols. In this scenario, the Service Manager server is acting as a TLS/SSL server. As of Service Manager 9.41, the Service Manager server uses TLS 1.2 by default. To enforce the TLS 1.2 protocol, configure the following parameter in the sm.ini file:

sslEnabledProtocols:TLSv1.2

Note TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" from the jdk.tls.disabledAlgorithms security property in the extra.java.security configuration file under RUN directory.

When the Service Manager server acts as a TLS/SSL client, it uses OpenSSL to connect to the Directory Services server via the secure LDAP protocol. Secure LDAP is also known as LDAP over SSL (LDAPS). Depending on the Directory Service server, these connections will default to the highest supported version of the TLS/SSL protocol. To force the Service Manager server to establish only TLS 1.2 connections with the LDAP server, set the following environment variable in the operating system:

LDAPTLS_PROTOCOL_MIN=3.3

Note For information about how to set an environment variable, refer to your operating system’s documentation or to your server administrator.

The Service Manager server may act as a TLS/SSL client to securely connect to SMTP servers or to consume third-party external Web Services over HTTPS, depending on the SMTP Server or the Web Services server. These connections will default to TLS 1.2. To enforce the TLS 1.2 protocol for these scenarios, configure the following parameter in the sm.ini file:

sslEnabledProtocols:TLSv1.2