Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

How to disable TLS 1.0 and TLS 1.1 on the AppDynamics Controller?

1) Stop appserver
<controller_home>/bin/controller.sh stop-appserver

2) Take a backup of <controller_home>/appserver/glassfish/domains/domain1/config/domain.xml

3) Locate the "ssl" element in domain.xml

<ssl ssl3-tls ciphers="...." ssl3-enabled="false" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as" tls-enabled="false"></ssl>

* To disable TLS 1.0 - set the attribute tls-enabled="false" (This attribute might already exist and is disabled by default and hence by default set to false. If set to "true" change it to "false" to disable TLS 1.0)

* To disable TLS 1.1 - add an attribute tls11-enabled="true" after the tls-enabled="false" attribute with both attributes separated by space

* TLS 1.2 - is enabled by default after setting above two properties. If you want to still indicate it in domain.xml add the attribute tls12-enabled="true" separated by a space from the previous attribute

4) After making above changes, the ssl element looks like:

 <ssl ssl3-tls ciphers="...." ssl3-enabled="false" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as" tls-enabled="false" tls11-enabled="false" tls12-enabled="true"></ssl>

Note:

4.1) Do not change any other attributes other than tls-enabled, tls11-enabled and tls12-enabled

4.2) The ciphers="...." attribute is indicated with ellipses(...) because there are many ciphers and as they are not to be changed they are not listed above. But the actual domain.xml contains list of ciphers and they are not to be changed.

5) Start the appserver
<controller_home>/bin/controller.sh start-appserver

Note: Allow few minutes for the appserver to start.

6) To test if the controller now accepts tls1.0, tls1.1 and tls1.2 protocol you could use openssl to test the connectivity and for tls1 (which is tls1.0) and tls1_1 (which is tls1.1) the connectivity fails with "handshake failure"

openssl s_client -connect <controller_host>:<controller_ssl_port> -tls1
openssl s_client -connect <controller_host>:<controller_ssl_port> -tls1_1
openssl s_client -connect <controller_host>:<controller_ssl_port> -tls1_2

Note: 

6.1) The the <controller_ssl_port> is the port tied to "http-listener-2" in <controller_home>/appserver/glassfish/domains/domain1/config/domain.xml 
<network-listener port="<PORT>" protocol="http-listener-2" transport="tcp" name="http-listener-2" thread-pool="http-thread-pool"></network-listener>

6.2) <controller_host> is the hostname of the server on which controller is installed

Version history
Revision #:
2 of 2
Last update:
‎09-14-2018 09:52 AM
Updated by:
 
Tags (2)


Found this article helpful? Click the Thumbs Up button.
Have an additional comment? Post it below.
0 Kudos