Integration


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Add a new idea Subscribe
Status Future consideration
Workspace App Connect
Created by Guest
Created on Jan 28, 2016

RELATED IDEAS

Restrict both incoming and outgoing to only accept allowed protocols

Objective: Disable restricted protocols for incoming and outgoing calls to IIB

Problem: We need to disable TLSv1.0 (or for future cases, adminstratively disable lower/restricted protocols) for both incoming and outgoing IIB traffic.

We changed jave.security to: jdk.tls.disabledAlgorithms=TLSv1, SSLv3, RC4
This change disabled incoming calls with TLSv1.0 however, TLSv1.0 is accepted on the outgoing calls.

The application area changed and deployed their flows using TLSv1.1 then TLSv1.2.

The outcome:
TLSv1.1 only accepts 1.1 (rejects 1.0 and 1.2)
TLSv1.2 only accepts 1.2 (rejects 1.0 and 1.1)


We expected the outcome to be:
TLSv1.1 to accept 1.1 and higher
TLSv1.2 to accept 1.2 and higher

Idea priority High
RFE ID 83174
RFE URL
RFE Product IBM App Connect Enterprise (formerly IBM Integration Bus)
  • Guest
    Reply
    |     Aug 17, 2020

    As part of our regular commitment to reviewing RFEs, we have re-reviewed this RFE and its status is maintained as Uncommitted Candidate. However, we would like to note some clarifications with regard to how the desired inbound behaviour can already be achieved:

    In IIBv10:
    If you don't set up any restricitons then TLSv1, TLSv1.1 or TLS1.2 will be accepted.
    If you specifically disable the TLSv1 algorithm in java.security.file, then TLSv1 will fail, but TLSv1.1 and TLSv1.2 will succeed. The error you will receive for TLSv1 is "javax.net.ssl.SSLHandshakeException: No appropriate protocol, may be no appropriate cipher suite specified or protocols are deactivated"
    If you set specifically then set the protocol on the request node to use the disabled version (TLSv1), then this will also fail.
    If you change the protocol on the request node to be one that accepts a range of possibilities such as "SSL_TLSv2", then this will work again because TLSv1.1 or TLSv1.2 are options, but SSLv3 and TLSv1 will still be disabled as requested.
    The default protocol is "TLS", which means TLSv1.0. However, this can be changed to be any TLS version by setting "com.ibm.jsse2.overrideDefaultTLS=true". So combining this with the above options gives the desired outcome expressed in the RFE.

    We will continue to monitor this RFE for further comments and in particular we note that for outbound bevahiour and ease of administering the current settings there is more we could do in this area.

  • Guest
    Reply
    |     Jul 6, 2016

    Thanks for raising this RFE. We agree this would make a great enhancement for IIB. Status is updated to Uncommitted Candidate.

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.