cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Saradhi.Potharaju
AppDynamics Team (Retired)

What are the steps for disabling TLS versions 1.0 and 1.1 on the on-premises Controller?

In this article...
Disable TLS 1.0 and 1.1  |  Test the Controller after disabling TLS 1.0 and 1.1


 

Disable TLS 1.0 and 1.1 

  1. Stop appserver
    <controller_home>/bin/controller.sh stop-appserver
  2. Take a backup of <controller_home>/appserver/glassfish/domains/domain1/config/domain.xml

  3. Locate the "ssl" element in domain.xml
    <ssl ssl3-tls ciphers="...." ssl3-enabled="false" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as" tls-enabled="false"></ssl>

    To disable TLS 1.0

    Set the attribute tls-enabled="false"

    NOTE | This attribute may already exist and be disabled by default (set to false). If set to "true" change it to "false" to disable TLS 1.0)

    To disable TLS 1.1 Add an attribute tls11-enabled="false" after the tls-enabled="false" attribute, with the two attributes separated by a space
    To enable TLS 1.2 explicitly TLS v1.2 is enabled by default after setting the two properties above. If you want to still indicate it in domain.xml , add the attribute tls12-enabled="true" separated from the previous attribute by a space

  4. After making the above changes, the SSL element looks like:
    <ssl ssl3-tls ciphers="...." ssl3-enabled="false" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as" tls-enabled="false" tls11-enabled="false" tls12-enabled="true"></ssl>
    ​

STEP 4 NOTES 

  • Do not change any other attributes other than tls-enabled, tls11-enabled and tls12-enabled
  • The ciphers="...." attribute is indicated with ellipses(...) because there are many ciphers and we didn't include them above since they were not to be changed. The actual domain.xml contains the list of ciphers and they are not to be changed.

  1. Start the appserver
    <controller_home>/bin/controller.sh start-appserver

STEP 5 NOTE  Allow a few minutes for the appserver to start.

Test the Controller after disabling TLS 1.0 and 1.1

  1. To test whether the Controller now accepts TLS 1.0, TLS 1.1 and TLS 1.2 protocol you could use OpenSSL to test the connectivity and for TLS 1 (which is TLS 1.0) and TLS 1_1 (which is TLS 1.1) the connectivity fails with "handshake failure"
    openssl s_client -connect <controller_host>:<controller_ssl_port> -tls1
    openssl s_client -connect <controller_host>:<controller_ssl_port> -tls1_1
    openssl s_client -connect <controller_host>:<controller_ssl_port> -tls1_2​

STEP 6 NOTES 

  • The the <controller_ssl_port> is the port tied to "http-listener-2" in <controller_home>/appserver/glassfish/domains/domain1/config/domain.xml <network-listener port="<PORT>" protocol="http-listener-2" transport="tcp" name="http-listener-2" thread-pool="http-thread-pool"></network-listener>

  • <controller_host> is the hostname of the server on which the controller is installed
Comments
Claudia.Landivar
Community Manager

Hello, Everyone

The content change above is under step 3, "To disable TLS 1.1".
Other than that, I just reformated the article, to make it (hopefully!) more scannable for you.

Claudia Landivar
Community Manager & Editor

Version history
Last update:
‎03-08-2023 09:24 PM
Updated by: