We are using TDM portal version 4.11.2028.0. What  are the configuration and log files, needed to verify, TDM Portal making the proper TCPS connectivity/connection profiles to Oracle server, and using the correct port, TLS 1.2 or above protocol, and approved cipher suites?

TDM Portal 4.11.x

For more information on configuring your Oracle connection profiles to use TCPS in TDM, please refer to the following documentation: Oracle TCPS Authentication. You need to work with your DBA, and maybe your security team, to first have the Oracle server configured for TCPS, then import the certificates used by the Oracle server into a truststore file, or keystore file used by the TDM Portal/FDM server.

If you know this was already done, you should check the connection profiles used by the TDM applications, to verify they have been configured to communicate across the correct listener port for your Oracle data sources.

By default, the JVM (Java Virtual Machines) used by both TDM Portal and FDM, have lower protocols disabled. You can verify this by looking inside the following files:

• C:\Program Files\CA\CA Test Data Manager\jre\conf\security\java.security
• C:\Program Files\Grid-Tools\FastDataMasker\jre\conf\security\java.security

Starting with Line 729, we find which lower-level protocols have been disabled in Java:

• TDM Portal:
  • jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, TLSv1.0, RC4, DES, \
        MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
        ECDH
    
    
• FDM
  • jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
        DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
    
    
• Note: these are disabled algorithms, so TLSv1.3, and TLSv1.2 are not listed here,

Starting in TDM 4.11, the TDM Portal attempts to establish a secure connection using TLSv1.3 first, and reverts to TLSv1.2 if required. This can be confirmed by looking at the TDM Portal's Tomcat Web Service configuration, found inside the C:\Program Files|CA\CA Test Data Manager portal\tomcat\conf\server.xml file (starting with line 40):

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" certificateVerification="none" SSLEnabled="true" scheme="https" secure="true" continueResponseTiming="onRead" compression="on" compressionMinSize="1024" noCompressionUserAgents="gozilla, traviata" compressableMimeType="application/json,application/xml,text/html,text/xml,text/plain,application/javascript,text/css,image/jpeg" connectionTimeout="60000" maxHttpHeaderSize="3000000">
            <SSLHostConfig disableSessionTickets="true" protocols="TLSv1.3, TLSv1.2" honorCipherOrder="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256">
                <Certificate certificateKeystoreFile="${tdmweb.keystorePath}" certificateKeystorePassword="${tdmweb.keystorePassword}" certificateKeyAlias="${tdmweb.keyAlias}" type="RSA"/>
            </SSLHostConfig>
        </Connector>

As for logs, it depends on what you are using TDM to do.

If you are using TDM Portal/FDM for masking:

• For FDM, check the FDM job log. This will provide the Oracle connection URL used to establish the connection to the oracle tables.
• For TDM Portal, check the %ProgramData%\CA\CA Test Data Manager Portal\logs\TDMMaskingService.<hostname>.log file. This will also show the URL used to establish the connection to the Oracle data source.
• Note, you may need to place TDM Portal, or the FDM job in debug mode if more information is needed.

If you are using TDM portal for publishing generated data to an Oracle table, check the %ProgramData%\CA\CA Test Data Manager Portal\logs\TDMPublish.log. This should also show the URL used to establish the connection to the Oracle database.

NOTE: if you make modifications to the protocols or ciphers used by the Apache Tomcat Web Service, in the server.xml file, the CA Test Data Manager Portal service will need to be restarted. Also, with future upgrades/patching, the server.xml file will be overwritten, so it's highly recommended you back regular backups of the modified file, in case you need to compare the previously backed up file, with the new service.xml after upgrading.