Software AG Products 10.7 | Administering Integration Server | Configuring Integration Server for Secure Communications | Supported SSL/TLS Protocols | TLSv1.3 Support
 
TLSv1.3 Support
When allowed by the JVM, Integration Server 10.7 supports TLSv1.3 for secure inbound and outbound connections that use JSSE. TLSv1.3 support is provided via OpenJSSE from Azul and is available in the Zulu 8 JDK.
Adding TLSv1.3 as a supported protocol is possible by using the Java system property -XX:+UseOpenJSSE. Integration Server adds this system property to the profiles/IS_<instanceName>/configuration/custom_wrapper.conf when creating an Integration Server instance. Microservices Runtime startup scripts server.bat|sh have been modified to include this parameter as well. This is the default configuration for Integration Server and Microservices Runtime.
If you decide to use a JDK that is not Zulu or are using AIX, the OpenJSSE functionality, and therefore TLSv1.3, may not be available. A JVM from another provider might ignore the -XX:+UseOpenJSSE option that signals use of OpenJSSE. However, you may need to either remove or comment out the -XX:+UseOpenJSSE option from the custom_wrapper.conf file in Integration Server and/or from the server.bat/sh file for Microservices Runtime.
Note:
Integration Server automatically enables all protocols supported by the JVM except the ones explicitly disabled using the watt.net.jsse.*.disabledProtocols parameters. For information about the SSL/TLS protocols supported by the JVM, refer to the vendor documentation.
Note:
When creating a keystore alias for a PKCS12 type keystore in version 10.7, Integration Server lists BC (Bouncy Castle), OpenJSSE (when the Zulu JDK is used) and/or, IBMJCE (when the IBM JDK is used) as possible providers for the keystore. In versions of Integration Server prior to 10.7, Integration Server listed SunJSSE as a possible provider for a PKCS12 type keystore. However, when using OpenJSSE, the SSL provider named SunJSSE is not available. During migration to Integration Server 10.7 that uses OpenJSSE, the migration utility changes existing keystores that used SunJSSE as the provider to use BC (Bouncy Castle).