Disabling TLSv1 and TLSv1.1 and enabling TLSv1.2 for DevTest
search cancel

Disabling TLSv1 and TLSv1.1 and enabling TLSv1.2 for DevTest

book

Article ID: 10938

calendar_today

Updated On:

Products

CA Application Test CA Continuous Application Insight (PathFinder) Service Virtualization

Issue/Introduction

Disable TLSv1 and TLSv1.1 on all DevTest Servers and your Workstation.

 

Environment

All supported DevTest releases.

Cause

Vulnerability.

Resolution

To disable TLSv1 and Tlsv1.2 on IAM and set to TLSv1.2:

This will only apply to DevTest 10.7.0, 10.7.2 GA and 10.7.2 with hotfixes IAM servers. 

If you have DevTest 10.7.2 with SP2, SP3 or SP4 applied, TLSv1 and TLSv1.1 are disabled and TLSv1.2 enabled.

Edit file standalone.xml file located in folder IAM_HOME/standalone/configuration:

There are two places to make this change in the file:

1) 

<security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
                        <keystore path="${iam.keystore}" keystore-password="${iam.keystore.password}"/>
                    </ssl>
                </server-identities>

2)

 <security-realm name="iamRealm">
                <server-identities>
                    <ssl>
                        <keystore path="${iam.keystore}" keystore-password="${iam.keystore.password}"/>
                    </ssl>
                </server-identities>

Change both to 

    <server-identities>
                    <ssl>
                        <engine enabled-protocols="TLSv1.2" />
                        <keystore path="${iam.keystore}" keystore-password="${iam.keystore.password}"/>
                    </ssl>
                </server-identities>

Save the file and restart IAM.

 

To disable TLSv1 and TLSv1.1 on all servers then do this on each DevTest server and each Workstation: 

1. Edit the DevTest Home/jre/lib/security/java.security file 

2. In there is a line similar to (about line 625) 

Change from: 

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Change to: 

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL

https.protocols=TLSv1.2

If on DevTest 10.7.0 and later, the above property is set by default in the lisa.properties file.

You will have to restart all the DevTest components. 

Additional Information

If also getting this vulnerability: Weak key size for TLSv1.2

“The increase in vulnerability is due to the weak key size for TLS1.2, and the minimum size needs to be 112 keys.”

Refer to this KB: https://knowledge.broadcom.com/external/article?articleNumber=251607