Smarts NCM - Can the version of TLS used be configured? Can we configure TLS to harden security aganist attacks such as Beast?
search cancel

Smarts NCM - Can the version of TLS used be configured? Can we configure TLS to harden security aganist attacks such as Beast?

book

Article ID: 331031

calendar_today

Updated On:

Products

VMware Smart Assurance

Issue/Introduction

Symptoms:


TLS V1 can be susceptible to attacks such as BEAST.

Lower versions of the TLS cipher in NCM such as TLS V1 can be susceptible to attacks such as BEAST.



Environment

VMware Smart Assurance - NCM

Resolution

How to configure security settings within the NCM application to limit the version of TLS that can be used.

The following changes can be made to enable TLS1.1, TLS1.2 and SSLV3 protocols for handshake.
 
Browse to the following location: $VOYENCE_HOME/jboss/server/vc-server/deploy/jbossweb.sar

From this location, open the following file to edit: server.xml

Make the following changes:

Standard Configuration:

<!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8880" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/deploy/1vc.sar/voyence-ssl.keystore"
 
Amended Configuration (change highlighted in RED):
 
<!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
<Connector protocol="HTTP/1.1" SSLEnabled="true" protocols="TLSv1.1,TLSv1.2,SSLv3"
port="8880" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/deploy/1vc.sar/voyence-ssl.keystore"
 
Next, restart jboss: service jboss restart

Also, on the client accessing the NCM application, carry out the following steps:

Open Control Panel:


Open the Java Console:


Click on the Advanced tab and expand Security - General:


Disable TLSv1.0 and SSLv2 protocols:


 


Additional Information

This change can be made in conjunction with the following KB Article (How can I change the NULL-MD5 cipher used for the JBoss SSL service running on port 8880?) for further security hardening:

VoyenceControl: How can I change the NULL-MD5 cipher used for the JBoss SSL service running on port 8880?