Configuring Software AG Runtime to Use SSL

Hendrik.Myburgh · August 22, 2024, 3:20pm

I am trying to configure CTP to use SSL certificates.
I’ve modified the profiles/CTP/configuration/com.softwareag.platform.config.propsloader/com.softwareag.catalina.connector.https.pid-defaultHttps-8084.properties file as follows:

clientAuth=true
sslProtocol=TLS
sslEnabledProtocols=+TLSv1,+TLSv1.1,+TLSv1.2
SSLEnabled=true
keystoreFile=/opt/softwareag/SBG_certs/SBG_keystore
enabled=true
port=8084
scheme=https
enableLookups=false
@secure.keystorePass=Somepassphrase
secure=true
alias=defaultHttps
maxThreads=150
keystoreType=PKCS12
server=SoftwareAG-Runtime
disableUploadTimeout=true
algorithm=SHA256
ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_C
BC_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_S
HA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TL
S_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_
ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_W
ITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WIT
H_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_12
8_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_
EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SC
SVF
minSpareThreads=25
acceptCount=100
maxHttpHeaderSize=8192

When restarting CTP, the HTTPS port 8084 does not startup.

Error message from the platform.log file is:

!ENTRY org.eclipse.equinox.cm 4 0 2024-08-20 15:00:57.985
!MESSAGE file:/opt/softwareag/sag107/profiles/CTP/configuration/com.softwareag.platform.config.propsloader/com.softwareag.catalina.connector.https.pid-defaultHttps-8084.properties : Connector added to server, but did not become available
!STACK 0
org.osgi.service.cm.ConfigurationException: file:/opt/softwareag/sag107/profiles/CTP/configuration/com.softwareag.platform.config.propsloader/com.softwareag.catalina.connector.https.pid-defaultHttps-8084.properties : Connector added to server, but did not become available

Any suggestions?

Holger_von_Thomsen · August 23, 2024, 10:56am

Hi Hendrik,

first of all, you should disable TLSv1 and TLSv1.1 as they are considered insecure meanwhile.
If possible, enable TLSv1.3 instead.

Regarding the error message, you will have to do deeper investigation, why the connector port is not activated.

Regards,
Holger