ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Nolio/RA - Changing protocols for endpoints
Article ID: 186568
CA Release Automation - Release Operations Center (Nolio)CA Release Automation - DataManagement Server (Nolio)
How can we disable some protocol used by Release Automation components.
Release : 6.6 or higher
Component : CA RELEASE AUTOMATION CORE
We at Release Automation, don't force using TLS1 for any endpoints. As for JMX we leave it to MX4J library to decide which protocols to allow and it in turn relies on current JVM's security policy. MXJ4 simply calls SSLContext.getInstance(m_sslProtocol), where m_sslProtocol has default value "TLS", and neither our code nor MX4J's code exposes this m_sslProtocol property to allow setting different value there via configs.
So given there is currently no way to restrict TLS version via our application's config, there is still Tomcat and JVM configs on top of it to look at.
As for the JVM config, there is a chapter called "Disable TLS 1.0 and TLS 1.1". It describes the way to restrict the protocols for the whole JVM by modifying "java.security" file at /jre/lib/security/. The properties from this file cannot be changed via JVM options. There are two ways to modify values for the properties in this file:
1. Just edit the file directly, change the default value for "jdk.tls.disabledAlgorithms" property into something like "SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768", save it, restart JVM. 2. Create a separate file, only with the properties that we want to override. For example, in our case it can only contain "jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768". Make sure that the original "java.security" file have property "security.overridePropertiesFile" set to "true". Restart the application specifying "-Djava.security.properties=<URL>" option, where URL is the path to file with overridden properties.
As per observation the option 1 is easy to implement.