Smarts NCM: How to Limit the Version of TLS Used in Smarts NCM; How to limit the TLS versions supported to 1.1 and 1.2
search cancel

Smarts NCM: How to Limit the Version of TLS Used in Smarts NCM; How to limit the TLS versions supported to 1.1 and 1.2

book

Article ID: 331171

calendar_today

Updated On:

Products

VMware Smart Assurance

Issue/Introduction

Symptoms:


Certain versions of TLS pose a security issue.

Lower versions of the TLS cipher such as TLS V1 can be susceptible to attacks such as BEAST.

Environment

VMware Smart Assurance - NCM

Resolution

The following changes can be made to enable TLS1.1, TLS1.2 and SSLV3 protocols for handshake.

Smarts NCM deployment Application Server side:

 
 
Browse to the following location: $VOYENCE_HOME/jboss/server/vc-server/deploy/jbossweb.sar

From this location, open the following file to edit: server.xml

Make the following changes:

Standard Configuration:
 <!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
      <Connector protocol="HTTP/1.1" SSLEnabled="true"
           port="8880" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false"
           keystoreFile="${jboss.server.home.dir}/deploy/1vc.sar/voyence-ssl.keystore"
 
Amended Configuration (change highlighted in Bold):

 <!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
      <Connector protocol="HTTP/1.1" SSLEnabled="true" protocols="TLSv1.1,TLSv1.2,SSLv3"
           port="8880" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false"
           keystoreFile="${jboss.server.home.dir}/deploy/1vc.sar/voyence-ssl.keystore"
 
 
Next, restart jboss: service jboss restart
 

 
Client Side changes to make:
 
On the client accessing the NCM application, carry out the following steps:

Open Control Panel:



Open the Java Console: 



Click on the Advanced tab and expand Security - General:



Disable TLSv1.0 and SSLv2 protocols:



Additional Information

This change can be made in conjunction with the following KB Article (How can I change the NULL-MD5 cipher used for the JBoss SSL service running on port 8880?) for further security hardening:

VoyenceControl: How can I change the NULL-MD5 cipher used for the JBoss SSL service running on port 8880?