cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Shravani.G N
AppDynamics Team

Configuring the on-premises Controller to use stronger Key Exchanges

You may want to change the SSL/TLS configuration of the on-premises Controller to allow only strong key exchanges. This can be done by defining a minimum key size for Diffie Hellman Key Exchanges. 

Here is the procedure: 

If Controller Version < 23.11:

  1. Take a backup of the file, <controller_home>/appserver/glassfish/domains/domain1/config/domain.xml and make the following change: 
    FROM -
    § <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options> 

    CHANGE TO -

    § <jvm-options>-Djdk.tls.ephemeralDHKeySize=prefered_key_size</jvm-options> 
    § <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options> 

    EXAMPLE - 

    § <jvm-options>-Djdk.tls.ephemeralDHKeySize=2048</jvm-options> 
    § <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options> 

  2. Take a backup of <jre_used_by_the_controller>/lib/security/java.security and make the following change: 
    FROM -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
    include jdk.disabled.namedCurves 
    CHANGE TO -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
    DH keySize < prefered_key_size, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
    include jdk.disabled.namedCurves
    EXAMPLE -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
    DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
    include jdk.disabled.namedCurves
  3. Restart the Controller Appserver for the change to take effect.

NOTE | This step involves Controller downtime. 

  1. Rediscover the Controller back to EC. 


If Controller Version >= 23.11

  1. Take a backup of <jre_used_by_the_controller>/lib/security/java.security and make the following change: 
    FROM -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
    include jdk.disabled.namedCurves 

    CHANGE TO -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
    DH keySize < prefered_key_size, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
    include jdk.disabled.namedCurves

    EXAMPLE -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
    DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
    include jdk.disabled.namedCurves
  2. Access the Enterprise Console GUI. Login.
  3. Select the Platform.
  4. Go to the Configurations Tab.
  5. Click on Controller Settings > Appserver Configurations > JVM Options.
  6. Go to the section JVM Config, and add the following JVM Argument:
    • -Djdk.tls.ephemeralDHKeySize=prefered_key_size
    • EXAMPLE: 
      • -Djdk.tls.ephemeralDHKeySize=2048
  7. Click on Save at the bottom of the screen.
               NOTE | This step involves Controller downtime. 
Version history
Last update:
‎06-11-2024 01:41 AM
Updated by:
On-Demand Webinar
Discover new Splunk integrations and AI innovations for Cisco AppDynamics.


Register Now!

Observe and Explore
Dive into our Community Blog for the Latest Insights and Updates!


Read the blog here