Changing the cryptographic protocol for Teracloud® Streams services

Many domain and instance services support connections that use Transport Layer Security (TLS) cryptographic protocols. You can specify which cryptographic protocols the services use for secure communication by setting domain and instance properties. Starting with Teracloud® Streams Version 7.2.0, the default protocol setting is TLSv1.3, which indicates that TLS 1.3 or later protocols are used.

About this task

You can specify the cryptographic protocol for the following domain and instance services.

Notes:
  • The domain.sslOption domain property is used as the default value for the sslOption properties that are listed.

  • If you set the sws.sslProtocol property to TLSv1.2, you must also specify one of the following settings:
    • Set the domain.sslOption property to TLSv1.2.
    • Set both the aas.sslOption and jmx.sslOption properties to TLSv1.2.
  • If the domain.sslOption property is set to TLSv1.2, the WebSphere® Application Server com.ibm.jsse2.sp800-131 system property is set to strict. For more information about SP800-131 standard strict mode, see Configuring WebSphere Application Server for SP800-131 standard strict mode.
Table 1. Domain services

This table contains 2 columns. The first column contains the name of the domain service. The second column contains the name of the domain property.
Service name Domain property name
authentication and authorization service aas.sslOption
domain controller service controller.sslOption
Java Management Extension (JMX) service jmx.sslOption
REST API service domain.sslOption
web management service sws.sslProtocol
Table 2. Instance services

This table contains 2 columns. The first column contains the name of the instance service. The second column contains the name of the instance property.
Service name Instance property name
application deployment service app.sslOption
application manager service sam.sslOption
application metrics service srm.sslOption
data service domain.sslOption
view service view.sslOption
The domain and instance properties can have the following values:
  • TLSv1.3 indicates that the service uses only TLS 1.3 or later protocols. If a TLS 1.3 connection cannot be established, it does not fall back to lower versions of TLS support.
  • TLSv1.2 indicates that the service uses only TLS 1.2 or later protocols. If a TLS 1.2 connection cannot be established, it does not fall back to lower versions of TLS support.
  • none indicates that the service does not use TLS or SSL. You cannot specify this value for the sws.sslProtocol domain property.

The sws.sslProtocol domain property has an extra value: useJavaSetting. This property indicates that the web management service supports the cryptographic protocols that are specified by the Java configuration of processes that connect to the service. This value is the default value.

For more information about these properties, run streamtool man domainproperties and streamtool man properties.

Tip: Before you change the cryptographic protocol, consider which Teracloud® Streams interfaces you use and how they are affected. For example, you must open the Streams Console in a web browser that supports the same cryptographic protocols that you specify for the web management service.

Procedure

You can specify the cryptographic protocol when you create or update a domain or instance.
  • Specify the cryptographic protocol when you create the domain or instance.
    • Use the streamtool mkdomain command to create a domain and specify the appropriate domain property.
    • Use the Streams Console or the streamtool mkinstance command to create an instance and specify the appropriate instance property.
  • Specify the cryptographic protocol after you create the domain or instance.
    • To update a domain property, use the streamtool setdomainproperty command, then restart the domain.
    • To update an instance property, use the Streams Console or the streamtool setproperty command, then restart the instance.