TrueSight Middleware Administrator: How to disable and/or alter TLS/SSL options

Version 1
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight Middleware Administrator


    COMPONENT:

    BMC Middleware Management - Administration


    APPLIES TO:

    TrueSight Middleware Administrator v8.0, 8.1 BMC Middleware Management - Administration



    QUESTION:

    How to disable and/or alter TLS/SSL options?


    ANSWER:

     

    To exclude cipher suites

      
       
    1. Stop the Middleware Administrator service.
    2.  
    3. cd to "<install_dir>/etc" directory.
    4.  
    5. Edit the jetty.xml file.
    6.  
    7. Look for '<Set name="ExcludeCipherSuites">'
    8.  
    9. Add the cipher suites to disable with the proper names for example, to disable a TLS 3DES Cipher Suite in this case TLS_RSA_WITH_3DES_EDE_CBC_SHA, add the highlighted line below.  After making this change, restart the Middleware Administrator service:
      <Set name="ExcludeCipherSuites">     <Array type="java.lang.String">          ...         <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>         <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>         <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>         <Item>TLS_RSA_WITH_3DES_EDE_CBC_SHA</Item>    </Array> </Set>
      

    NOTE: Rather than adding entries for every single suite (and mistyping names) you can use a name pattern like ' .*DES.*'  for example add:

      
    <Item>.*DES.*</Item>
      


    To alter the Diffie-Hellman key size

      
       
    1. Go to "<install_dir>/configuration"
    2.  
    3. Edit wrapper.conf file
    4.  
    5. Look for the last line starting 'wrapper.java.additional.' which is commented in (!), for example:
      wrapper.java.additional.20=-Dcom.mongodb.updaterConnectTimeoutMS=5000
    6.  
    7. Add a corresponding line thereafter with the number at the end bumped up by 1 for example, to set Diffie-Hellman key size we use the Java system property 'jdk.tls.ephemeralDHKeySize' so the next entry in the file will be:
      wrapper.java.additional.21=-Djdk.tls.ephemeralDHKeySize=2048
    8.  
    9. After making these changes and saving the files, you will need to restart the TSMA service for these changes to take effect.
      

    To exclude protocols

      
       
    1. Stop the Middleware Administrator service.
    2.  
    3. cd to "<install_dir>/etc" directory
    4.  
    5. Edit the jetty.xml file and add a new set, which can be placed before or after the ExcludeCipherSuites set:
      <Set name="ExcludeProtocols">     <Array type="java.lang.String">         <Item>SSLv2Hello</Item>         <Item>SSLv3</Item>         <Item>TLSv1</Item>         <Item>TLSv1.1</Item>     </Array> </Set>
    6.  
    7. Restart Middleware Administrator.
      
      

     


    Article Number:

    000133886


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles