How can I disable TLSv1.0 and TLSv1.1 on communication ports in TrueSight Orchestration?

Version 5
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Atrium Orchestrator Platform


    COMPONENT:

    BMC Atrium Orchestrator Platform


    APPLIES TO:

    BMC Atrium Orchestrator Platform 7.x BMC Atrium Orchestrator Platform 8.x TrueSight Orchestration Platform 8.x



    QUESTION:

    I want to disable TLSv1.0 and TLSv1.1 on the internal communication ports in BMC Atrium Orchestrator / TrueSight Orchestration (TSO). I specifically want to change the protocols used by embedded instances of BMC Remedy Single Sign-On (RSSO) and peers, like ports 28090, 38090 and 61719. How can I do this? 
     


    ANSWER:

    Follow the below steps to disable TLSv1 and TLSv1.1 on RSSO ports and peer communication ports:

    Repository

       
    1. Stop the Repository Service.
    2.  
    3. Open the file [REPO_HOME]\repository\server\.jms\broker-config.xml.
    4.  
    5. Make the following changes (in red). Note: This assumes you have "Enterprise Service Bus" syncing enabled.
       <broker-config>
      <external>false</external>
      <cipher-suites>TLS_RSA_WITH_AES_256_CBC_SHA</cipher-suites>
      <enable-jmx>false</enable-jmx>
      <broker-name>ao-grid-framework-embedded-broker-85c109c7-f550-4151-b95f-26b968d1a4fb</broker-name>
      <transportConnectors>
        <transportConnector uri="ssl://XXX.XXX.XXX.XXX:28090?transport.enabledProtocols=TLSv1.2" name="ESB_TRANSPORT" enableStatusMonitor="true" updateClusterClients="true" updateClusterClientsOnRemove="true" networkTTL="3" prefetchSize="1" decreaseNetworkConsumerPriority="true" dynamicOnly="true" duplex="true" />
      </transportConnectors>
      <networkConnectors>
        <networkConnector uri="static:(ssl://XXX.XXX.XXX.XXX:38090)?maxReconnectDelay=60000&amp;useExponentialBackOff=false&amp;transport.enabledProtocols=TLSv1.2" name="ESB_NETWORK_CDP">
          <dynamicallyIncludedDestinations>
            <topic physicalName="&gt;" />
          </dynamicallyIncludedDestinations>
        </networkConnector>
      </networkConnectors> 
    </broker-config>
      
       
    1. Save your changes.
    2.  
    3. Open the file [REPO_HOME]/jvm/lib/security/java.security.
    4.  
    5. Navigate to line 646. The entry will be like:
       jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
        EC keySize < 224
      
       
    1. Modify it to include the TLS protocols you wish disable:
       jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
        EC keySize < 224, TLSv1, TLSv1.1
      
       
    1. Save your changes.
    2.  
    3. Start the Repository service.
      
    Configuration Distribution Peer (CDP)  
       
    1. Stop the CDP Service.
    2.  
    3. Open the file [CDP_HOME]\server\.jms\broker-config.xml.
    4.  
    5. Make the following changes (in red). Note: This assumes you have "Enterprise Service Bus" syncing enabled.
       <broker-config>
      <external>false</external>
      <cipher-suites>TLS_RSA_WITH_AES_256_CBC_SHA</cipher-suites>
      <enable-jmx>false</enable-jmx>
      <broker-name>ao-grid-framework-embedded-broker-35690a0a-6c8f-4ca6-8072-02e074c0737b</broker-name>
      <uri>ssl://XXX.XXX.XXX.XXX:61719?connectionTimeout=1000&amp;transport.enabledProtocols=TLSv1.2</uri>
      <transportConnectors>
        <transportConnector uri="ssl://XXX.XXX.XXX.XXX:38090?transport.enabledProtocols=TLSv1.2" name="ESB_TRANSPORT" enableStatusMonitor="true" updateClusterClients="true" updateClusterClientsOnRemove="true" networkTTL="3" prefetchSize="1" decreaseNetworkConsumerPriority="true" dynamicOnly="true" duplex="true" />
      </transportConnectors>
      <networkConnectors>
        <networkConnector uri="static:(ssl://XXX.XXX.XXX.XXX:28090)?maxReconnectDelay=60000&amp;useExponentialBackOff=false&amp;transport.enabledProtocols=TLSv1.2" name="ESB_NETWORK_REPO">
          <dynamicallyIncludedDestinations>
            <topic physicalName="&gt;" />
          </dynamicallyIncludedDestinations>
        </networkConnector>
    </networkConnectors> 
    </broker-config>
      
       
    1. Save your changes.
    2.  
    3. Open the file [CDP_HOME]/jvm/lib/security/java.security
    4.  
    5. Navigate to line 646. The entry will be like:
       jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
        EC keySize < 224
      
       
    1. Modify it to include the TLS protocols you wish disable.
       jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \
        EC keySize < 224, TLSv1, TLSv1.1
      
       
    1. Save your changes.
    2.  
    3. Start the CDP service.
      
    Steps to validate the change
    Run the below commands from a Linux server to test if the protocols are successfully disabled:  

    openssl s_client -tls1 -connect   <servers>:<port>
    openssl s_client -tls1_1 -connect   <servers>:<port>
    openssl s_client -tls1_2 -connect   <servers>:<port> 


    where   <server> is the hostname or IP address of the machines hosting TSO components and   <port> is the port number to connect to the application (28090, 38090, and 61719). The OpenSSL command will return a certificate for a successful connection. 

     


    Article Number:

    000153311


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles