PIE-34054 (IS_9.5_SP1_Core_Fix5)
Remove use of SSLv3 from any HTTPS or FTPS Integration Server
ports.
In order to protect against POODLE vulnerability (CVE-2014-3566)
, this fix exposes server configuration parameters that allow
you to disable the use of SSLv3.0 on Integration Server HTTPS
and FTPS ports.
Depending on whether connections use the Entrust library
(entoolkit.jar) or JSSE (where useJSSE=true), you use a
different procedure to disable SSLv3.0. Follow the appropriate
procedure as follows:
For connections that use Entrust (entoolkit.jar) library:
--------------------------------------------------------- When
Integration Server uses the Entrust library to handle inbound
and outbound requests, you disable SSLv3.0 by setting the
following server configuration parameters:
Possible values for these server configuration parameters are
“sslv3” and “tls” (the default). With this fix, these two
parameters take the default value “tls”, which indicates that
all server side SSL listeners will support only TLSv1 and no
longer accept SSLv3 connections.
When Integration Server acts as a client and makes an outbound
request, it configures the allowed protocols using the
following server configuration parameters:
Possible values for these server configuration parameters are
“sslv2”, “sslv3”, and “tls”. If you want to disable the use of
“sslv3”, set watt.net.ssl.client.handshake.minVersion as
follows: watt.net.ssl.client.handshake.minVersion=tls
To change the values of the server configuration parameters,
from Integration Server Administrator, navigate to Settings >
Extended and add the parameters as follows:
-
watt.net.ssl.server.handshake.minVersion=tls
-
watt.net.ssl.server.handshake.maxVersion=tls
-
watt.net.ssl.client.handshake.minVersion=tls
-
watt.net.ssl.client.handshake.maxVersion=tls
If any of your clients require SSLv3 to connect (the previous
default), set watt.net.ssl.server.handshake.minVersion as
follows: watt.net.ssl.server.handshake.minVersion=sslv3
When making outbound connections, you can configure Integration
Server to first try to connect using sslv3 and, if that fails,
to use tlsv1, set watt.net.ssl.client.handshake.minVersion as
follows: watt.net.ssl.client.handshake.minVersion=sslv3
This will allow Integration Server to use sslv3 with endpoints
that do not support tlsv1.
For connections that use JSSE (where useJSSE=true):
When Integration Server uses JSSE to handle inbound and
outbound requests, you disable SSLv3.0 by setting the following
server configuration parameters:
- watt.net.jsse.server.enabledProtocols
- watt.net.jsse.client.enabledProtocols
Possible values for these server configuration parameters are a
comma-separated values consisting of one or more of the
following:
- SSLv2Hello
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2
With this fix, watt.net.jsse.server.enabledProtocols and
watt.net.jsse.client.enabledProtocols are set to the default
value of “TLSv1,TLSv1.1,TLSv1.2”, which indicates that all
server side SSL listeners and client side outbound connections
that use JSSE will not accept any SSLv3 or SSLv2 connections.
To change the values of the parameters, from Integration Server
Administrator, navigate to Settings > Extended and add the
parameters as follows:
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
Note: These values are case-sensitive. Specify the values
exactly as shown.
If any of your clients need to connect using SSLv3, add SSLv3
to watt.net.jsse.server.enabledProtocols, for example:
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2,SSLv3
When starting JSSE ports, at DEBUG level of logging
facility 6 (Server SSL Interface), Integration Server
logs a message to indicate what protocols are enabled
for each JSSE port.