1. Cloud Native Installation and Administration Guide
  2. Enabling TLS 1.3 Support in Offline Mediation Controller (Release 15.0.1 or later)

8 Enabling TLS 1.3 Support in Offline Mediation Controller (Release 15.0.1 or later)

This section provides instructions for enabling TLS 1.3 support in Offline Mediation Controller deployments, enhancing communication security. TLS 1.3 offers improved security features compared to older protocols.

About TLS 1.3 Compatibility

Before enabling TLS 1.3, it is important to understand some potential compatibility considerations. When it comes to backwards compatibility, TLS 1.3 can negotiate with older clients (TLS 1.2 and below) but has some key differences:
  • TLS 1.3 uses a half-close policy, while TLS 1.2 and above earlier use a duplex-close policy. Applications that depend on the latter duplex-close policy may encounter compatibility issues when upgrading to TLS 1.3.
  • The signature_algorithms_cert extension warrants the use of pre-defined signature algorithms for certificate authentication.
  • The DSA signature algorithm is not supported in TLS 1.3. A server cannot negotiate with a TLS 1.3 connection if it is configured to only use DSA certificates.
  • The supported cipher suites for TLS 1.3 are not the same for TLS 1.2 and earlier versions. Applications with hardcoded cipher suites that are no longer supported may not be able to use TLS 1.3 without modifications to its code.
  • Session resumption and key update behaviours are different for TLS 1.3 and TLS 1.2. Although the compatibility impact should be minimal, it is a potential risk if an application depends on the handshake details of the TLS protocols.

Enabling TLS 1.3 Support Automatically

To enable support for TLS 1.3 automatically for your Offline Mediation Controller cloud native deployment:
  1. Ensure you are using the latest Offline Mediation Controller 15.0.1.0 image.
  2. In your override-values.yaml file, set the ocomcCore.configEnv.forceGenSslcert flag to true.
  3. Run the helm upgrade command for oc-cn-ocomc-15.0.1.0.0.

These steps automatically generate new certificates in the Offline Mediation Controller image using the latest JDK available. If you encounter compatibility issues, enable TLS 1.3 support manually.

Manually Enabling TLS 1.3 Support

To manually enable TLS 1.3 in your Offline Mediation Controller cloud native deployment:
  1. Generate a new KeyStore using the keytool utility. If generating externally, use the latest Java version.
  2. Use a signature algorithm supported by TLS 1.3 during certificate generation.
  3. Load the newly generated KeyStore into the appropriate TrustStore.
  4. Restart all Offline Mediation Controller components after loading the new keystore.