How to update the TLS in SSL configuration in webmethods 8.0

With the latest update of Google chrome and Mozilla Firefox, our application is not been opened due to the following SSL exception .

ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY .

This exception requires the change in the server side configuration of TLS / SSL . But we are unable to find the SSL configuration or the server config file for webmethods 8.0 .

Can you please suggest an help for this problem and also help us to find the server configuration file .

Thanks,

1 Like

Hi Sreejith,

The server config file is located under IntegrationServer/config/server.cnf.
For MWS it is in the database and needs to be extracted to the file system first.

mws.sh -s default getconfig jetty.xml

Location of the file will then be MWS/server/default/config/jetty.xml.

See MWS Administrators Guide for further informations about this.

Can you check if there is a possibility to configure your browsers to allow the ssl v3 protocol (at least temporarily until you were able to configure the servers accordingly?

Please check the following pages in Empower KB:

Security Advisory:
https://empower.softwareag.com/Products/Security/poodle.asp

Summary of available Fixes for IntegrationServer (KB# 1760886):
https://empower.softwareag.com/sl24sec/SecuredServices/KCFullTextASP/viewing/view.asp?prdfamily=Integration&KEY=113725-9174169&DSN=PIVOTAL&DST=TCD

Unfortuanetly wM 8.0 is not listed there as it is no longer supported except if you have an Extended Maintenance Agreement in place.

Please consider upgrading to wM 9.5 or newer.

Regards,
Holger

Hi Holger ,

Thanks for you reply . I generated the Jetty.xml .
I have another query now , after making the necessary changes , should i import the file to the database ?If so could you please let me know how to do it ?.

Thanks,

Hi Sreejith,

as long as the xml is present in the file system the MWS will use this one.

You can update the config in the database if you wish, but you will to delete the file in the file system to make MWS using the one stored in the database.


mws.sh -s default putconfig jetty.xml

Regards,
Holger

Hi Holger ,

Thanks for the reply .

We updated the jetty.xml with

SSLv3

after going through the link -
https://empower.softwareag.com/Products/Security/poodle.asp

But we got the exception -
2015-09-14 15:30:59 IST (Framework:FATAL) - [POP.001.0002] A “java.lang.NoSuchMethodException” occurred with the Message “class com.webmethods.portal.webapp.jetty6.MwsServer.setExcludeProtocols(class [Ljava.lang.String;)”
java.lang.NoSuchMethodException: class com.webmethods.portal.webapp.jetty6.MwsServer.setExcludeProtocols(class [Ljava.lang.String;)
at org.mortbay.xml.XmlConfiguration.set(XmlConfiguration.java:424)
at org.mortbay.xml.XmlConfiguration.configure(XmlConfiguration.java:248) .

Could you please suggest the appropriate changes to be made in the jetty.xml to make it support TLS 1.0
inorder to overcome the SSL exception in latest version of chrome.

Thanks,

Hi Sreejith,

You will have make sure that the MWS is running in an appropriate JVM (1.6 for wM 8.x) and is using the right Jetty version which supports this feature.

For latest TLS 1.2 you will need to switch to JVM 1.7 but I am not sure if this can be applied to MWS 8.0.

As you are running an unsupported version you should consider an upgrade to 8.2.x for which there are such Fixes available.

At least check for the latest Fixes for MWS 8.0 and apply these.
It should be stated in the readme if these contain an updated Jetty.

Regards,
Holger

HI Holger ,

Thanks for the reply . But we cannot update the server as of now , as it ts the live server . Is there any work around to be done in the xml file to fix the LogJam issue ?

Thanks ,

Hi …

Could you please suggest me on how to do either of these steps in webmethods 8.0

  1. Enable ECDHE and disable DHE (preferable)
  2. Use a 1024-bit (or larger) Diffie-Hellman group for the DHE_RSA SSL cipher suites
  3. Disable all DHE SSL cipher suites

Thanks,

Hi,

Then this comes to thing called “Bad Luck”.

If you have an Extended Maintenance Agreement you can open a ticket to SAG Support for this.

If not, bad luck.

Regards,
Holger