JCP log file indicates the use of weak ciphers.
search cancel

JCP log file indicates the use of weak ciphers.

book

Article ID: 271104

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

Once a JCP is started the log file contains the following messages:

20230804/072701.776 - 32     U00045428 The TLS certificate will expire on: '2024-05-07 16:08:32 UTC'
20230804/072701.776 - 32               Jetty: Logging initialized @35493ms to com.automic.agents.impl.AgentLogBridge
20230804/072701.910 - 32               Jetty: jetty-9.4.51.v20230217; built: 2023-02-17T08:19:37.309Z; git: b45c405e4544384de066f814ed42ae3dceacdd49; jvm 1.8.0_352-b08
20230804/072701.937 - 32               Jetty: DefaultSessionIdManager workerName=node0
20230804/072701.938 - 32               Jetty: No SessionScavenger set, using defaults
20230804/072701.940 - 32               Jetty: node0 Scavenging every 600000ms
20230804/072702.016 - 32               Jetty: Started o.e.j.s.ServletContextHandler@5167d2ad{/,null,AVAILABLE}
20230804/072702.089 - 32               Jetty: x509=X509@587f5e6a(jetty,h=[server.com],a=[/IP_address],w=[]) for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.125 - 32               Jetty: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.127 - 32               Jetty: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.128 - 32               Jetty: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.130 - 32               Jetty: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.132 - 32               Jetty: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.134 - 32               Jetty: Weak cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.136 - 32               Jetty: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.137 - 32               Jetty: Weak cipher suite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.139 - 32               Jetty: Weak cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.141 - 32               Jetty: Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.142 - 32               Jetty: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.144 - 32               Jetty: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.145 - 32               Jetty: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.147 - 32               Jetty: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.148 - 32               Jetty: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.149 - 32               Jetty: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for Server@2ca62250[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/072702.162 - 32               Jetty: Started ServerConnector@48441b37{SSL, (ssl, http/1.1)}{0.0.0.0:8444}
20230804/072702.163 - 32               Jetty: Started @35867ms
20230804/072711.189 - 34     U00003406 Client connection '6'  from 'IP_address:56581' has logged on to the Server.

Environment

Release: 21.0.X

Component: Automation Engine

Cause

Configuration.

Resolution

The weak ciphers can be disabled in the java.security file by adding them to jdk.tls.disabledAlgorithms=:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, \
	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, \
	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, \
	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, \
	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA , \
	TLS_RSA_WITH_AES_256_GCM_SHA384, \
	TLS_RSA_WITH_AES_128_GCM_SHA256, \
	TLS_RSA_WITH_AES_256_CBC_SHA256, \
	TLS_RSA_WITH_AES_128_CBC_SHA256, \
	TLS_RSA_WITH_AES_256_CBC_SHA, \
	TLS_RSA_WITH_AES_128_CBC_SHA, \
    include jdk.disabled.namedCurves

Once this change is done and the JCP is restarted, these messages do not show up anymore:

20230804/074736.367 - 32     U00045428 The TLS certificate will expire on: '2024-05-07 16:08:32 UTC'
20230804/074736.378 - 32               Jetty: Logging initialized @42508ms to com.automic.agents.impl.AgentLogBridge
20230804/074736.485 - 32               Jetty: jetty-9.4.51.v20230217; built: 2023-02-17T08:19:37.309Z; git: b45c405e4544384de066f814ed42ae3dceacdd49; jvm 1.8.0_352-b08
20230804/074736.509 - 32               Jetty: DefaultSessionIdManager workerName=node0
20230804/074736.510 - 32               Jetty: No SessionScavenger set, using defaults
20230804/074736.512 - 32               Jetty: node0 Scavenging every 600000ms
20230804/074736.581 - 32               Jetty: Started o.e.j.s.ServletContextHandler@71dbf387{/,null,AVAILABLE}
20230804/074736.651 - 32               Jetty: x509=X509@1023fce1(jetty,h=[server.com],a=[/IP_address],w=[]) for Server@78ea218f[provider=null,keyStore=file:///C:/Automic/Automation.Platform/AutomationEngine/bin/multinode.p12,trustStore=null]
20230804/074736.692 - 32               Jetty: Started ServerConnector@1bdf916{SSL, (ssl, http/1.1)}{0.0.0.0:8444}
20230804/074736.693 - 32               Jetty: Started @42824ms
20230804/074933.992 - 49     U00003406 Client connection 'CP002#00000001'  from 'IP_address' has logged on to the Server.

 

Additional Information

https://docs.oracle.com/en/applications/jd-edwards/administration/9.2.x/eotsc/disabling-weak-cipher-suites-globally-through-java.html#u30144032

If the java.security file cannot be modified (permission denied) and the option security.overridePropertiesFile=true is set within this file, then an alternate properties file containing the information can be set, in this example, the file is called overwrite.security in the folder /opt/Automic/Automation.Platform/AutomationEngine/bin with the following content:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, \
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
        TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, \
        TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, \
        TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, \
        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA , \
        TLS_RSA_WITH_AES_256_GCM_SHA384, \
        TLS_RSA_WITH_AES_128_GCM_SHA256, \
        TLS_RSA_WITH_AES_256_CBC_SHA256, \
        TLS_RSA_WITH_AES_128_CBC_SHA256, \
        TLS_RSA_WITH_AES_256_CBC_SHA, \
        TLS_RSA_WITH_AES_128_CBC_SHA, \
    include jdk.disabled.namedCurves

 

The JCP start command then looks like this:

/opt/java/jdk8u352-b08/bin/java -Xmx2G -jar -Djava.security.properties=/opt/Automic/Automation.Platform/AutomationEngine/bin/overwrite.security ucsrvjp.jar -I/opt/Automic/Automation.Platform/ServiceManager/bin/./../../AutomationEngine/bin/ucsrv.ini -svc%port% -cp

 

Powered by Wolken Software