Help
Not a customer? Start a free trial

Not a customer? Click the 'Start a free trial' link to begin a 30-day SaaS trial of our product and to join our community.

Existing Cisco AppDynamics customers should click the 'Sign In' button to authenticate to access the community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How do I mitigate weak SSL/TLS key exchanges for the on-prem Controller? 

Shravani.G N
AppDynamics Team

‎06-30-2023 06:27 PM - edited ‎06-11-2024 01:41 AM

Configuring the on-premises Controller to use stronger Key Exchanges

You may want to change the SSL/TLS configuration of the on-premises Controller to allow only strong key exchanges. This can be done by defining a minimum key size for Diffie Hellman Key Exchanges. 

Here is the procedure: 

If Controller Version < 23.11:

  1. Take a backup of the file, <controller_home>/appserver/glassfish/domains/domain1/config/domain.xml and make the following change: 
    FROM -
    § <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options>

    CHANGE TO -

    § <jvm-options>-Djdk.tls.ephemeralDHKeySize=prefered_key_size</jvm-options> 
§ <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options>

    EXAMPLE - 

    § <jvm-options>-Djdk.tls.ephemeralDHKeySize=2048</jvm-options> 
§ <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options>

  2. Take a backup of <jre_used_by_the_controller>/lib/security/java.security and make the following change: 
    FROM -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
include jdk.disabled.namedCurves
    CHANGE TO -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
DH keySize < prefered_key_size, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
include jdk.disabled.namedCurves
    EXAMPLE -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
include jdk.disabled.namedCurves

  3. Restart the Controller Appserver for the change to take effect.

NOTE | This step involves Controller downtime. 

  1. Rediscover the Controller back to EC. 


If Controller Version >= 23.11

  1. Take a backup of <jre_used_by_the_controller>/lib/security/java.security and make the following change: 
    FROM -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
include jdk.disabled.namedCurves

    CHANGE TO -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
DH keySize < prefered_key_size, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
include jdk.disabled.namedCurves

    EXAMPLE -
    § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ 
include jdk.disabled.namedCurves
  2. Access the Enterprise Console GUI. Login.
  3. Select the Platform.
  4. Go to the Configurations Tab.
  5. Click on Controller Settings > Appserver Configurations > JVM Options.
  6. Go to the section JVM Config, and add the following JVM Argument: 
    • -Djdk.tls.ephemeralDHKeySize=prefered_key_size
    • EXAMPLE:  
      • -Djdk.tls.ephemeralDHKeySize=2048
  7. Click on Save at the bottom of the screen.
               NOTE | This step involves Controller downtime. 
Version history
Last update:
‎06-11-2024 01:41 AM
Updated by:
On-Demand Webinar
Discover new Splunk integrations and AI innovations for Cisco AppDynamics.

Register Now!
Observe and Explore
Dive into our Community Blog for the Latest Insights and Updates!

Read the blog here

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form

By clicking subscribe, I have read and understood the Privacy Policy and Terms of Use.
Platform
Solutions
Learn

Company
Support