Unable to use Tomcat with TLS security protocol and SHA256 and SHA384 ciphers

book

Article ID: 129475

calendar_today

Updated On:

Products

SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction

How can I get the following cipher suites to work with Tomcat?
 
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256 

The NX.env file shows the following Tomcat and JRE versions are being used by CA Service Desk Manager 14.1:

@NX_TOMCAT_INSTALL_DIR=C:/Program Files (x86)/CA/SC/tomcat/7.0.23
@NX_JRE_INSTALL_DIR=C:/Program Files (x86)/CA/SC/JRE/1.7.0_10

Cause

The JRE version that is included with CA SDM 14.1 is 1.7.0_10 which does not support unlimited cryptography.  

Environment

CA Service Desk Manager 14.1 

Resolution

Install and configure CA SDM 14.1 to use the latest 1.8 JRE. 
 
The Supportability Matrix for CA Service Desk Manager 14.1 shows that 1.8.0_45 can be used. However, a later 1.8.0_x version can also be used.  The minimum version that is required to resolve this issue is JRE 1.8.0.181.

Additional Information

1. Supportability Matrix for CA Service Desk Manager 14.1:

URL: https://docops.ca.com/ca-service-management/14-1/en/release-information/supportability-matrix#SupportabilityMatrix-Third-PartyCommonComponents

Under "Third-Party Common Components Support", the table shows that for the row named "Java Runtime Environment (JRE) and the column named "CA Service Desk Manager 14.1", the JRE version is 1.8.0_45 (32-bit).

On this page is the following note:
"Note: CA Service Management supports service packs and point releases not necessarily noted on this matrix as long as the problem reported is reproducible with versions that are listed on the support matrix. CA Technologies reserves the right to refuse support of new point releases should the reported problem require a major redesign to function properly. CA Support and Sustaining Engineering resolve any issue that occurs in a timely manner. If the resolution to a problem is determined to be outside the realm of their support responsibilities, they may ask that you escalate your request for certification to your local account team." -is-tomcat-upgraded-to-the-new-supported-version/KB000128856

2. To upgrade the JRE, perform steps like the ones documented for the upgrade of the JRE to 1.6.0_45. The URL in the documentation is:
https://docops.ca.com/ca-service-management/14-1/en/implementing/implementing-ca-service-management-14-1/step-4-install-or-upgrade/implementing-ca-service-desk-manager/how-to-install-ca-sdm/step-3-install-other-components#Step3-InstallOtherComponents-InstallandConfigureJRE1.8.0_45

3. To obtain the latest JRE, check this web page:
https://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

4. Here is the URL of the release notes for JRE 1.8.0_161 and a relevant entry showing the change that makes unlimited cryptography the default starting with this JRE version.  
https://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html#JDK-8170157

The relevant entry states: 
"security-libs/javax.crypto
Unlimited cryptography enabled by default The JDK uses the Java Cryptography Extension (JCE) Jurisdiction Policy files to configure cryptographic algorithm restrictions. Previously, the Policy files in the JDK placed limits on various algorithms. This release ships with both the limited and unlimited jurisdiction policy files, with unlimited being the default. The behavior can be controlled via the new 'crypto.policy' Security property found in the /lib/java.security file. Please refer to that file for more information on this property."