TLS1.2

,
1

Hi,

Is there way to set up TLS1.2 (JSSE) for all outbound requests (IS acts ac client). We would like to switch all out soap/http calls to using TLS1.2.

Do we have to manually changed it on all connectors, or is there a switch? (like an Extended property)

2

There are extended settings on IS to enable them, but make sure if your IS version support TLS1.2 as per my knowledge it is supported from v9.5 onwards via a core fix.

For extended settings, refer admin guide.

3

Hi M@he$h,

I was following http://techcommunity.softwareag.com/web/guest/pwiki/-/wiki/Main/Debugging+TLS+SSL+connections+in+Integration+Server to turn on logging TLS connection, so I could confirm using TLSv1.2.

Using soap connector there were logs in wrapper.log indicating ssl:


INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Starting handshake (iSaSiLk 3.03)...
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Remote client:194.99.117.17:443, Timestamp:Thu Feb 15 17:12:49 CET 2018
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Sending secure renegotiation cipher suite
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Sending v3 client_hello message, requesting version 3.1...
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Received v3 server_hello handshake message.
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Server selected SSL version 3.1.
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Server created new session E1:CD:BB:DE:A5:C0:1E:F3...
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): CipherSuite selected by server: TLS_RSA_WITH_AES_128_CBC_SHA
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): CompressionMethod selected by server: NULL
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Received certificate handshake message with server certificate.
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Server sent a 2048 bit RSA certificate, chain has 3 elements.
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Received server_hello_done handshake message.
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Sending client_key_exchange handshake message (2048 bit)...
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Sending change_cipher_spec message...
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Sending finished message...
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Received change_cipher_spec message.
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Received finished message.
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Session added to session cache.
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Handshake completed, statistics:
INFO   | jvm 11   | 2018/02/15 17:12:49 | ssl_debug(1): Read 3995 bytes in 5 records, wrote 426 bytes in 4 records.
INFO   | jvm 11   | 2018/02/15 17:13:25 | ssl_debug(1): Exception reading SSL message: java.io.EOFException: Connection closed by remote host.
INFO   | jvm 11   | 2018/02/15 17:13:25 | ssl_debug(1): Shutting down SSL layer...
INFO   | jvm 11   | 2018/02/15 17:13:25 | ssl_debug(1): Read 997 bytes in 1 records, 960 bytes net, 960 average.
INFO   | jvm 11   | 2018/02/15 17:13:25 | ssl_debug(1): Wrote 650 bytes in 2 records, 575 bytes net, 287 average.
INFO   | jvm 11   | 2018/02/15 17:13:25 | ssl_debug(1): Closing transport...

but when I switch “useJSSE”=true on connector nothing appears in wrapper.log confirming using TLS.

In “9-7_Integration_Server_Administrators_Guide.pdf” we didn’t find any information about global settings (watt.*) for using TLS1.2 whenever it is possible. Only this:

Extended settings:

4

Hi,

IntegrationServer has two types of SSL/TLS Handlers: Entrust IAIK and JSSE.
Entrust IAIK version bundled with IntegrationServer only supports TLSv1.0.

For TLSv1.1 and TLSv1.2 JSSE needs to be used.
These are supported when running IntegrationServer in JVM 7 or newer.

See Empower KnowledgeBase entry referring to POODLE for details on how to configure JSSE, which is using different extended settings in comparison to Entrust. This article also contains a list of fixes which needs to be applied to get these properties working.

Regards,
Holger

5

Hi Robert,

What version of wM are you using?
for Soap request, there are two ways in which this can be done.

  1. “useJSSE” Field in the soapClient service can be set as “true”
  2. Set Server level setting “watt.net.ssl.client.useJSSE=true”

Regards,
Syed Faraz Ahmed

6

Hi Syed Faraz Ahmed,

We set watt.net.ssl.client.useJSSE=true and it turned out worked as charm!

However we still are working on turning on logging ssl for JSSE, but it is not must have.

Anwyay thx again and thx all.

7

See if below helps.

The JSSE provider’s tracing is switched on using a different configuration. Therefore, please add “javax.net.debug=all,java.security.debug=certpath” to the end of the “watt.config.systemProperties” property on your Extended Settings within the IS Admin page. You will then need to restart the IS.

8

Hi M@he$h,

I did what you have suggested, but it didn’t work. Here are my extended settings:
watt.config.systemProperties=mail.debug=true,javax.net.debug=all,java.security.debug=certpath
watt.net.ssl.client.useJSSE=true
watt.server.compile=/opt/webmeth3/97.1/IntegrationServer/instances/…/…/jvm/jvm/bin/javac -classpath {0} -d {1} {2}
watt.server.email.processReplyEmails=true
watt.server.url.alias.partialMatching=true

After restarting IS in /opt/webmeth3/97.1/profiles/IS_default/logs/wrapper.log there was nothing about SSL/TLS connection details.

9

Hi,

KB#1764440 suggests using

watt.config.systemProperties=javax.net.debug=ssl,handshake

If that property does not work, try adding the following to custom_wrapper.conf:
wrapper.java.additional.=-Djavax.net.debug=ssl

Check the IS administration docs on how to calculate the appropriate value for the java.additional property.

As the output is written to stdout, you should look in to the wrapper.log file.

Best regards,