Disable TLSv1 and TLSv1.1 on all DevTest Servers and your Workstation.
All supported DevTest releases.
Vulnerability.
To disable TLSv1 and Tlsv1.2 on IAM and set to TLSv1.2:
This will only apply to DevTest 10.7.0, 10.7.2 GA and 10.7.2 with hotfixes IAM servers.
If you have DevTest 10.7.2 with SP2, SP3 or SP4 applied, TLSv1 and TLSv1.1 are disabled and TLSv1.2 enabled.
Edit file standalone.xml file located in folder IAM_HOME/standalone/configuration:
There are two places to make this change in the file:
1)
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="${iam.keystore}" keystore-password="${iam.keystore.password}"/>
</ssl>
</server-identities>
2)
<security-realm name="iamRealm">
<server-identities>
<ssl>
<keystore path="${iam.keystore}" keystore-password="${iam.keystore.password}"/>
</ssl>
</server-identities>
Change both to
Save the file and restart IAM.
To disable TLSv1 and TLSv1.1 on all servers then do this on each DevTest server and each Workstation:
1. Edit the DevTest Home/jre/lib/security/java.security file
2. In there is a line similar to (about line 625)
Change from:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL
Change to:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL
https.protocols=TLSv1.2
If on DevTest 10.7.0 and later, the above property is set by default in the lisa.properties file.
You will have to restart all the DevTest components.
If also getting this vulnerability: Weak key size for TLSv1.2
“The increase in vulnerability is due to the weak key size for TLS1.2, and the minimum size needs to be 112 keys.”
Refer to this KB: https://knowledge.broadcom.com/external/article?articleNumber=251607