| Agile Product Lifecycle Management Security Guide Release 9.3.5 E52156-05 |
|
 Previous |
The section describes SSL protocol and signature algorithm changes.
SHA-1 is not good enough for security purposes, so CA/Browser Forum voted to deprecate SHA-1 certificates entirely for SSL/TLS connections with the termination of issuing any new certificates. Agile PLM is certified on SHA-2.
Follow these steps to deselect SSL 3.0.
Complete the following procedures, as appropriate, to deselect SSL 3.0 from the server client.
Add the following system property to the setUserOverrides file located in the <Agile_HOME>\agileDomain\bin folder:
set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.SSL.protocolVersion=TLS1
The property for Unix: export JAVA_OPTIONS="$JAVA_OPTIONS -Dweblogic.security.SSL.protocolVersion=TLS1"
Oracle WebLogic Server 12c uses JSSE as the default SSL implementation. This setting enables any protocol that starts with "TLS".
Add the sslEnabledProtocols setting and remove the sslProtocol="TLS" in the server.xml file:
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="C:\fm-keystore-935\fm-keystore.jsk"
keystorePass="agile123" keyAlias="ssl"
clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"/>
Extract wssconfigurator.zip to a folder named wssconfigurator under <Agile_HOME>\agileDomain\tools\.
Add the following system property to the wssconfigurator.sh file located in <Agile_HOME>\agileDomain\tools\wssconfigurator\:WLST_PROPERTIES="-Dweblogic.security.SSL.protocolVersion=TLS1"export WLST_PROPERTIES
Complete the following procedures, as appropriate, to deselect SSL 3.0 from the user client side.
If you have multiple JREs installed, you must identify which JRE is used locally, then navigate to its installation folder and run %JRE_HOME%\bin\javacpl.exe to start the Java Control Panel:
Click the Advanced tab.
Under Advanced Security Settings, deselect Use SSL 3.0.
Click Apply.
Click the Java tab.
Click View... to view the Java Runtime settings.
Add -Dweblogic.security.SSL.protocolVersion=TLS1 to the Runtime Parameters field for the selected JRE.
Click OK.
|
Note: Changes made to the Control Panel while the browser is open take effect only after the browser is restarted. Java WebStart applications, like the Agile PLM Java Client, must also be restarted for changes to take effect. |
Table E-1 System Properties to Disable SSL 3.0
| JDK Version | System Property to Disable SSL 3.0 |
|---|---|
|
JDK 5, 6, 7 |
java -Dhttps.protocols="TLSv1" -Dweblogic.security.SSL.protocolVersion=TLS1 <MyApp> |
|
JDK 8 and above |
Java -Dweblogic.security.SSL.protocolVersion-TLS1 -Dhttps.protocols="TLSv1, TLSv1.1, TLSv1.2" -Djdk.tls.client.protocols="TLSv1, TLSv1.1,TLSv1.2" <MyApp> |
Table E-2 Steps to Disable SSL 3.0 By Browser
| Browser | Steps to disable SSL 3.0 |
|---|---|
|
Internet Explorer |
|
|
Mozilla Firefox |
Alternatively, you can install the Firefox Extension SSL Version Control which provides a graphical way to specify the minimum SSL version. |
|
Chrome |
Chrome does not have a configurable setting in the user interface to turn off SSL 3.0. Instead, Chrome needs to be told not to use SSL 3.0 at launch. To automatically launch Chrome with SSL 3.0 disabled, run Chrome with the command Chrome.exe -ssl-version-min=tls1 to specify that the minimum version of SSL to be used is TLs 1.0. |
|
Safari |
There is no setting for Safari to disable SSL 3.0. You must upgrade the Safari browser to the latest version. Apple has released Security Update 2014-005 which disables CBC-mode ciphers in coordination with SSL 3.0. |
