We are able to successfully connect to JMX on Management Servers (NAC) and Execution Servers (NES) using TLS1 and TLS1.1. How can these protocols be disabled?
Release : 6.6
Component : CA RELEASE AUTOMATION CORE
The NAC and NES are tomcat webapps. Tomcat gives the ability to restrict certain protocols and ciphers. However, the JMX not a webapp and doesn't adhere to these settings. The JMX has some configuration options that are defined in the distributed.properties file. On the NAC and NES these settings include things like enable/disable jmx, port, enable/disable ssl.
Note: The agent does not have a configuration setting for enabling/disabling ssl. It only has configuration settings for enabling/disabling jmx.
However, the JMX settings available on NAC and NES do not include any options for specifying which protocols and ciphers can be used. This is because the product does not force anything when it comes to these settings - though it can be configured (just not through the product). We leave these settings to the MX4J library to decide which protocols to allow and it in turn relies on current JVM's security policy.
Create a backup copy of the <RA_HOME>/jre/lib/security/java.security file.
The key behind these settings is: jdk.tls.disabledAlgorithms
It's default value (on Nolio RA 6.6.0.b9640 installs) is:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC, RC4_40
To disable TLS1 and TLS1.1 you can add them to this string as follows:
jdk.tls.disabledAlgorithms=TLSv1, TLSv1.1, SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ │
EC keySize < 224, DES40_CBC, RC4_40
After this change has been made you will need to stop and start the service (NAC and/or NES) where the change was made.
After the change above has been made and the NAC|NES service has been restarted you can test to confirm that TLS1 and TLS1.1 have been disabled using this command:
openssl s_client -connect <nac|nes servername>:20203 -tls1
openssl s_client -connect <nac|nes servername>:20203 -tls1_1
To confirm that TLSv1.2 is enabled you can use this command:
openssl s_client -connect <nac|nes servername>:20203 -tls1_2