This appendix provides information about configuring SSL Cipher Suites.
Calendar Server does not have any explicit Cipher configurations at product configuration level. You can configure only the protocol version related to SSL Handshake. For more information, see the discussion about configuration parameters in the Calendar Server System Administrator's Guide.
During SSL Handshake between the server and any SSL client, the underlying negotiations happen for strongest common Cipher to be used. You can control the required ciphers at the container level, which in turn obtain support from JDK. Following are the best practices and documentation references on ciphers which are negotiated for SSL Handshake.
Note:
Ensure to use the latest security patch for JDK_version_Update for a production environment. Refer to the notified JDK version during releases and ensure to use minimum or higher JDK versions accordingly.The following versions are used during the Calendar Server 8.0.0.4.0 patch release:
GlassFish Server 3.1.2.18 with JDK_1.7.0_update241 and WebLogic Server 12.2.1.3 with JDK_1.8.0_update231.
Ensure to use JDK_1.7.0_241 or higher for GlassFish Server deployments and JDK 1.8.0_231 or higher for WebLogic Server deployments.
Consider the following when configuring SSL Cipher for GlassFish Server:
Ensure to use GlassFish Server 3.1.2.18 with the JDK_1.7.0_latest version in a production environment, JDK_1.7.0_241 or higher. Also, ensure to apply the latest JDK security patches notified for JDK_1.7.0_update version in production environments.
When you use the above-mentioned GlassFish Server and JDK version combinations, many weak ciphers are disabled by default.
For more information on the supported Cipher list, use either the GlassFish Administration CLI option, asadmin list-supported-cipher-suites or log in to GlassFish Server Administration Console, and navigate to HTTPS Secure listener port configuration and click the SSL tab. You can find the list of Cipher blocks. If you do not configure any Cipher suites, all available Cipher suites are enabled.
You should configure ciphers only if you have a business requirement to whitelist the required ciphers or blacklist the ciphers that are not required in your environment.
To configure SSL Cipher at GlassFish Server levels:
Log in to GlassFish Server Administration Console.
Navigate to HTTPS listener port configuration where you have deployed Calendar Server.
In the SSL tab, add or remove ciphers from the blocks of ciphers listed according to your requirements.
Restart GlassFish Server.
The whitelisted ciphers are allowed during SSL Handshake.
Ensure to use WebLogic Server 12.2.1.3 with the JDK_1.8.0_update version for a production environment. Also, ensure to use WebLogic Server 12.2.1.3 with JDK_1.8.0_231 or higher combination for Calendar Server 8.0.0.4.0 patch.
Refer to the following WebLogic Server documentation for more guidelines:
WebLogic Server 12.2.1.3 security standards with JSSE support
Security guidelines for production system of WebLogic Server
You should configure ciphers only if you have a business requirement to whitelist the required ciphers or blacklist the ciphers that are not required in your environment. For more information on configuring ciphers using WLST, see the documentation: Setting Cipher Suites Using WLST: An Example.
If you want to debug logs for verification or troubleshooting SSL Handshake, see the documentation: SSL Debugging.