webMethods TLS support from 9.7

@ IS do the following …

  1. Extended Settings

watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.cipherSuiteList=default
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=tls
watt.net.ssl.client.strongcipheronly=false
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=tls
watt.net.ssl.server.strongcipheronly=false

  1. HTTPS inbound:
    Create HTTPS port set “useJSSE” parameter to ‘Yes’ to support TLSv1.2.

  2. HTTPS outbound:
    Set “useJSSE” parameter to ‘Yes’ for “pub.client:http” service to support TLSv1.2.

This should also work for most 9.x versions when the appropriate Fixes are applied.

Refer to PIE-34321 for further informations.
There is also an KB Article in Empower related to this.

For wM 9.5 it is IS_9.5_SP1_Core_Fix6 together with SCG_9.5_SP1_Entrust_Fix1.

For TLSv1.2-Support Java 7 or newer is required.

Regards,
Holger

this is my current WM 9.7 IS extended setting

watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.cipherSuiteList=default
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=sslv2
watt.net.ssl.client.strongcipheronly=false
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=tls
watt.net.ssl.server.strongcipheronly=false

When I tested by IS it’s still show RC4 weak, what change I need to perform so that RC4 gets disabled ?

watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.cipherSuiteList=default
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=tls
watt.net.ssl.client.strongcipheronly=true
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=tls
watt.net.ssl.server.strongcipheronly=ture

If this doesn´t help after restart, check for the cipherSuiteLists.

Regards,
Holger

What is needed to enable TLS 1.2 on a webMethods 9.6 installation?

My server version is 9.6.0.0, with no updates applied. The license is provided by a third party, so I do not have direct access to Empower. I’ve opened a support case with the third party as well, but figured this thread was a good starting point for context on what I’m trying to achieve.

Thanks!

Hi Trevor,

you will have to ask your provider to apply at least IS_9.6_Core_Fix3 togehther with SCG_9.6_Entrust_Fix1.

Additionally the IS needs to run in Java 1.7 (see About-Page of IS) otherwise only TLS 1 will be available, but not TLS 1.1 and TLS 1.2.

The neccessary configuration changes to the IS are documented in this thread already.

Regards,
Holger

Addendum:

Java 1.8 should work too, but this is a different Fix-Package which needs to be applied.

TLS 1.1 and TLS 1.2 definitely require Java 1.7 or newer.

Regards,
Holger

Also here is the setting for the enablement as long as HTTPS port was created with JSSE=true (by default)

watt.net.jsse.server.enabledProtocols=TLSv1.1,TLSv1.2
watt.net.jsse.client.enabledProtocols=TLSv1.1,TLSv1.2

HTH,
RMG

Thank you both!

Your welcome :smiley: