Limiting SSL ciphers/algorithms used with the AWI
search cancel

Limiting SSL ciphers/algorithms used with the AWI

book

Article ID: 380308

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

Is there a way to limit ciphers for the AWI Jetty launcher with something like:

jdk.tls.client.cipherSuites=

or disable some with

jdk.tls.disabledAlgorithms=

in the start command?  Is there a config file that can do this?

Resolution

The weak ciphers can be disabled in the java.security file by adding them to jdk.tls.disabledAlgorithms=

 

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, \
	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, \
	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, \
	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, \
	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA , \
	TLS_RSA_WITH_AES_256_GCM_SHA384, \
	TLS_RSA_WITH_AES_128_GCM_SHA256, \
	TLS_RSA_WITH_AES_256_CBC_SHA256, \
	TLS_RSA_WITH_AES_128_CBC_SHA256, \
	TLS_RSA_WITH_AES_256_CBC_SHA, \
	TLS_RSA_WITH_AES_128_CBC_SHA, \
    include jdk.disabled.namedCurves

Once this change is done and the AWI is restarted, advanced debug (as described in the additional information section) will show the limited Algorithms/ciphers used:

javax.net.ssl|DEBUG|28|Thread-2|2024-10-22 13:15:34.630 CDT|SSLCipher.java:464|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|28|Thread-2|2024-10-22 13:15:34.630 CDT|SSLCipher.java:464|jdk.tls.keyLimits:  entry =  ChaCha20-Poly1305 KeyUpdate 2^37. CHACHA20-POLY1305:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|30|qtp1668784787-48|2024-10-22 13:15:34.771 CDT|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLSv1.2
javax.net.ssl|DEBUG|30|qtp1668784787-48|2024-10-22 13:15:34.771 CDT|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLSv1.2
javax.net.ssl|DEBUG|30|qtp1668784787-48|2024-10-22 13:15:34.771 CDT|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLSv1.2

 

If the java.security file cannot be modified (permission denied) and the option security.overridePropertiesFile=true is set within this file, then an alternate properties file containing the information can be set, in this example, the file is called overwrite.security in the folder C:\Automic\WebInterface with the following content:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, \
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, \
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
        TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, \
        TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, \
        TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, \
        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA , \
        TLS_RSA_WITH_AES_256_GCM_SHA384, \
        TLS_RSA_WITH_AES_128_GCM_SHA256, \
        TLS_RSA_WITH_AES_256_CBC_SHA256, \
        TLS_RSA_WITH_AES_128_CBC_SHA256, \
        TLS_RSA_WITH_AES_256_CBC_SHA, \
        TLS_RSA_WITH_AES_128_CBC_SHA, \
    include jdk.disabled.namedCurves

 

The AWI start command then looks like this:

java -Xmx2G -jar -Djava.security.properties=C:\automic\WebInterface\overwrite.security aa-webui-launcher.jar

Additional Information

You can view which ciphers are being sued for ssl handshakes in windows command line by using a start command from the Jetty AWI /bin directory like:

java -Djavax.net.debug=ssl:handshake:verbose -jar aa-webui-launcher.jar

The output will show the ciphers that are used.

 

The ciphers used by the JCP can be limited using a similar method outlined in the article JCP log file indicates the use of weak ciphers