Configuring the on-premises Controller to use stronger Key Exchanges
You may want to change the SSL/TLS configuration of the on-premises Controller to allow only strong key exchanges. This can be done by defining a minimum key size for Diffie Hellman Key Exchanges.
Here is the procedure:
- Take a backup of the file,
<controller_home>/appserver/glassfish/domains/domain1/config/domain.xml and make the following change:
FROM -
§ <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options>
CHANGE TO -
§ <jvm-options>-Djdk.tls.ephemeralDHKeySize=prefered_key_size</jvm-options>
§ <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options>
EXAMPLE -
§ <jvm-options>-Djdk.tls.ephemeralDHKeySize=2048</jvm-options>
§ <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options>
- Take a backup of
<jre_used_by_the_controller>/lib/security/java.security and make the following change:
FROM -
§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
CHANGE TO -
§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < prefered_key_size, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
EXAMPLE -
§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
-
Restart the Controller Appserver for the change to take effect.
NOTE | This step involves Controller downtime.
-
Rediscover the Controller back to EC.
