Not a customer? Click the 'Start a free trial' link to begin a 30-day SaaS trial of our product and to join our community.
Existing Cisco AppDynamics customers should click the 'Sign In' button to authenticate to access the community
06-30-2023 06:27 PM - edited 06-11-2024 01:41 AM
You may want to change the SSL/TLS configuration of the on-premises Controller to allow only strong key exchanges. This can be done by defining a minimum key size for Diffie Hellman Key Exchanges.
Here is the procedure:
If Controller Version < 23.11:
<controller_home>/appserver/glassfish/domains/domain1/config/domain.xml
and make the following change: § <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options>
CHANGE TO -
§ <jvm-options>-Djdk.tls.ephemeralDHKeySize=prefered_key_size</jvm-options>
§ <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options>
EXAMPLE -
§ <jvm-options>-Djdk.tls.ephemeralDHKeySize=2048</jvm-options>
§ <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options>
<jre_used_by_the_controller>/lib/security/java.security
and make the following change: § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
CHANGE TO -§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < prefered_key_size, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
EXAMPLE -§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Restart the Controller Appserver for the change to take effect.
NOTE | This step involves Controller downtime.
Rediscover the Controller back to EC.
If Controller Version >= 23.11
<jre_used_by_the_controller>/lib/security/java.security
and make the following change: § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < prefered_key_size, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
-Djdk.tls.ephemeralDHKeySize=prefered_key_size
-Djdk.tls.ephemeralDHKeySize=2048
Thank you! Your submission has been received!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form