JMX console disable TLS1

book

Article ID: 141991

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio) CA Release Automation - DataManagement Server (Nolio)

Issue/Introduction

We are able to successfully connect to JMX on Management Servers (NAC) and Execution Servers (NES) using TLS1 and TLS1.1. How can these protocols be disabled? 

 

Cause

The NAC and NES are tomcat webapps. Tomcat gives the ability to restrict certain protocols and ciphers. However, the JMX not a webapp and doesn't adhere to these settings. The JMX has some configuration options that are defined in the distributed.properties file. On the NAC and NES these settings include things like enable/disable jmx, port, enable/disable ssl. 

Note: The agent does not have a configuration setting for enabling/disabling ssl. It only has configuration settings for enabling/disabling jmx. 

However, the JMX settings available on NAC and NES do not include any options for specifying which protocols and ciphers can be used. This is because the product does not force anything when it comes to these settings - though it can be configured (just not through the product). We leave these settings to the MX4J library to decide which protocols to allow and it in turn relies on current JVM's security policy. 

Environment

Release : 6.6

Component : CA RELEASE AUTOMATION CORE

Resolution

Create a backup copy of the <RA_HOME>/jre/lib/security/java.security file. 

The key behind these settings is: jdk.tls.disabledAlgorithms

It's default value (on Nolio RA 6.6.0.b9640 installs) is:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, DES40_CBC, RC4_40

 

To disable TLS1 and TLS1.1 you can add them to this string as follows:

jdk.tls.disabledAlgorithms=TLSv1, TLSv1.1, SSLv3, RC4, MD5withRSA, DH keySize < 1024, \                                                 │
    EC keySize < 224, DES40_CBC, RC4_40

 

After this change has been made you will need to stop and start the service (NAC and/or NES) where the change was made. 

 

 

Additional Information

After the change above has been made and the NAC|NES service has been restarted you can test to confirm that TLS1 and TLS1.1 have been disabled using this command:

openssl s_client -connect <nac|nes servername>:20203 -tls1

openssl s_client -connect <nac|nes servername>:20203 -tls1_1

 

To confirm that TLSv1.2 is enabled you can use this command: 

openssl s_client -connect <nac|nes servername>:20203 -tls1_2