Purpose:
In our regular job we run into a lot of SSL issues which could be caused by countless reasons. This document can be a quick guide in resolving the SSL / TLS conneciton issues in the products Integration Server (IS) and My webMethods Server (MWS), which could have occurred due to improper configurations or java version or improper timeouts etc. This is far from a complete list, however, it should help in triaging the most common SSL issues in the products.
Introduction
SSL stands for Secure Socket Layer, it is a predecessor of Transport Layer Security (TLS). It provides secure connection between client and server. SSL/TLS connection issues could arise due to innumerable reasons. Some are generic [ Click here for generic SSL issues with resolutions ] and some product specific SSL issues.
In this blog we will be discussing product specific issues and try to find a resolution for each.
SSL issues in products
Let’s now jump into the product (IS & MWS) specific issues that can cause SSL issues:-
- The product supports old and deprecated (SSLv2 & SSLv3) version of SSL protocol
- The product does not support the required / strong ciphers.
- The version of JVM shipped with the product is old.
- The connection timeout value is not set appropriately.
Resolution
Let’s now look at the resolution of SSL / TLS connection issues for the products IS & MWS:-
- The product supports old and deprecated (SSLv2 & SSLv3) version of SSL protocol
- For Integration Server
Set the following watt properties:-
watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
- For My webMethods Server
Use the jetty.xml to set the below block:
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv2</Item>
<Item>SSLv3</Item>
</Array>
</Set>
- The product does not support the required / strong ciphers.
- For Integration Server
Set the following watt properties:-
watt.net.ssl.client.strongcipheronly=true
watt.net.ssl.server.strongcipheronly=true
- For My webMethods Server
It is not straight forward as IS in jetty you have to disable all the weak ciphers to support only strong ciphers, as given below:-
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
</Array>
</Set>
- The version of JVM shipped with the product is old.
Update the JVM version to the latest and certified version or update the product suite.
- The connection timeout value is not set appropriately.
Set the connection timeout value appropriately in the products.
- For Integration Server
While creating the HTTPS port you can specify an appropriate connection timeout value.
- For My webMethods Server
Update jetty.xml to set the connection timeout to an appropriate value.