Problem Designer cannot connect to WM9.9 via TLS1.2

nilske · November 26, 2015, 11:05pm

Hi folks,

I configured our WM9.9 that only TLS1.2 connections Arne allowed. That works fine, except for the Designer (eclipse).

The Designer tries to connect to the WM via TLS1.0 and comes back with an iaik handshake error.

Need help.

Kind regards
Nils

nilske · November 27, 2015, 10:09am

Hi,

i also tried to allow TLS1.1, but with the same result.

[… Extended settings …]
watt.net.jsse.client.enabledProtocols=TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledProtocols=TLSv1.1,TLSv1.2
[…]

Regarding an other article I set the following parameters in eclipse.ini:
[…]
C:/SoftwareAG/jvm/jvm/jre/bin/javaw.exe
-vmargs
-Xms128m
-Xmx1024m
-Dwatt.net.jsse.client.enabledProtocols=TLSv1.1,TLSv1.2
-Dwatt.net.ssl.client.handshake.minVersion=tls
-Dwatt.net.ssl.client.handshake.maxVersion=tls
-Djavax.net.ssl.trustStore=C:\SoftwareAG\common\conf\platform_truststore.jks
-Djavax.net.ssl.trustStoreType=JKS
-Djavax.net.debug=all
-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2
-Declipse.log.level=INFO
[…]

Cheers,
N

Holger_von_Thomsen · November 27, 2015, 10:17am

Hi Nils,

what ist the JVM used for running the Designer?

TLSv1.1 and TLSv1.2 require Java 7 and above.

Another option might be to allow TLSv1 for the client protocols:

[… Extended settings …]
watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
[…]

Is there a real required why TLSv1 should not be allowed?

Regards,
Holger

nilske · November 27, 2015, 10:24am

Hi Holger,

I use the WM9.9 JVM wich is based on Java 8. So TLS1.2 should be the default.

To allow TLS1.0 is not a option. We have to disable TLS1.0 and TLS1.1 for security reasons.

Cheers,
N

Holger_von_Thomsen · November 27, 2015, 11:52am

Hi Nils,

what is the setting on IS side for the following parameters:

-Dwatt.net.ssl.client.handshake.minVersion=tls
-Dwatt.net.ssl.client.handshake.maxVersion=tls
-Dwatt.net.ssl.server.handshake.minVersion=tls
-Dwatt.net.ssl.server.handshake.maxVersion=tls

Please open a Support Incident and a Feature Request/Idea on Empower and Brainstorm, to see how this can be improved for more flexible configuration.

I did some research meanwhile and found out that TSLv1.1 is still considered secure in most cases.
If there are concerns about that, check with your security team why they think so.

Regards,
Holger