Configure the Java UI for SPE 7.5 and higher to only allow connections secured by TLS 1.2

book

Article ID: 178893

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

 

Resolution

Symantec Protection Engine (SPE) utilizes a User Interface built on top of Oracle Java. TLS negotiation is implemented by the Java TLS libraries within the JRE. This means that Java handles the entire cipher suite negotiation entirely outside of Protection Engine itself. The following instructions provide a method to configure the Java security settings to disallow all secure connections not utilizing TLS 1.2.

(Note:  Some of the supported JRE versions may not have the same features or process.)

  1. Locate the Java installation path.
  2. Within the Java installation path navigate to /lib/security (linux) or \lib\security (windows)
  3. Edit the following line within "java.security"   jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
  4. Change to:

    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768

  5. Save the changes to the file.
  6. Restart the server.

 

To determine if the changes have taken effect:

  1. Open your preferred web browser.
  2. Configure web browser to explicitly utilize TLS 1.2 only.  Close/Reopen browser.
  3. Test connection to Symantec Protection Engine User Interface.
  4. Repeat test by explicitly defining TLS 1.0 or TLS 1.1 only.

The expected results would be TLS 1.2 allowing the connection while 1.0 or 1.1 fail.