IBM Integration Bus v9 enable TLS protocol
IBM Integration Bus v9 enable TLS protocol information provided for reference.
As part of recent security testing performed for one of the customer, I have seen several set of links provided for IBM Integration Bus v9 product where different technotes mentioned to disable SSLv3 protocol as it is vulnerable to Padding Oracle On Downgraded Legacy Encryption (POODLE) attack.
I have mentioned in previous blog entry on the links and references for SSLv3 vulnerability information. Please find below commands that needs to be updated on IBM Integration Bus v9 in order to enable TLS protocol.
SSLv3 protocol is now disabled by default. If you are still using SSLv3, it needs to be disabled. Apply IIB v9 latest fix packs in order to get rid of any attacks.
Please check IBM Technote link here.
1. Inbound Connections commands
At broker level
mqsichangeproperties mwpbroker -b httplistener -o HTTPSConnector -n sslProtocol -v TLS
At Execution group level
mqsichangeproperties mwpbroker -e mwpeg -o HTTPSConnector -n sslProtocol -v TLS
For TCIPServer
mqsichangeproperties mwpbroker -c TCPIPServer -o myTCPIPServerService -n SSLProtocol -v TLS
For webadmin
mqsichangeproperties mwpbroker -b webadmin -o HTTPSConnector -n sslProtocol -v TLS
Report the properties after modifying the changes,
At broker level for httplistener
mqsireportproperties mwpbroker -b httplistener -o HTTPSConnector -a
mqsireportproperties mwpbroker -b httplistener -o AllReportableEntityNames -a
mqsireportproperties mwpbroker -b httplistener -o HTTPListener -a
At EG level
mqsireportproperties mwpbroker -e mwpeg -o HTTPSConnector -r
Below screenshots for reference performed for Broker and EG level,
2. If you want to enable TLS protocol, TLSv1.2 then use below command (applies to other set of commands)
mqsichangeproperties mwpbroker -b httplistener -o HTTPSConnector -n sslProtocol -v TLSv1.2
3. To re-enable SSLv3 protocol, please use below commands.
mqsichangeproperties mwpbroker -o BrokerRegistry -n allowSSLv3 -v true
mqsichangeproperties mwpbroker -e mwpeg -o ComIbmJVMManager -n allowSSLv3 -v true
mqsichangeproperties mwpbroker -b httplistener -o HTTPListener -n allowSSLv3 -v true
