The Security Team has determined that the RA Management Server is using old versions of SSH and TLS protocols through Tomcat. How can we disable the TLS v1.x protocols ?
Release: 6.x
Component: RAROC
Version 6.7.6 and later:
The information for versions earlier than 6.7.6 still apply. However, the structure of the Connector xml (inside the server.xml) has changed a little. In 6.7.6, the protocols used are specified in the protocols attribute of the SSLHostConfig element.
Versions earlier than 6.7.6:
By default we run tomcat with "TLSv1.2,TLSv1.1,TLSv1"
You can disable the protocols you do no need in the server.xml file
located in the RA_HOME\conf directory .
Search for the following connector on port 8443
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
compression="on"
compressionMinSize="102400"
compressableMimeType="application/x-java-serialized-object"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
keyAlias="nolioserver"
keystoreFile="conf/nolio.jks"
keystorePass="n0L10~28307"
maxSwallowSize="-1">
</Connector>
If you want to force tomcat to use TLSv1.2 you can change the enabled protocols
sslEnabledProtocols="TLSv1.2"
And restart the re service .
You have to do this on the NAC and NES.