AppDynamics Knowledge Base
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
New Article

How do I disable TLS 1.0 and TLS 1.1 on the AppDynamics on-premises Controller?

How do I disable TLS 1.0 and TLS 1.1 on the AppDynamics on-premises Controller?

What are the steps for disabling TLS versions 1.0 and 1.1 on the on-premises Controller?

In this article...
Disable TLS 1.0 and 1.1  |  Test the Controller after disabling TLS 1.0 and 1.1

Disable TLS 1.0 and 1.1 

  1. Stop appserver
    <controller_home>/bin/controller.sh stop-appserver
  2. Take a backup of <controller_home>/appserver/glassfish/domains/domain1/config/domain.xml

  3. Locate the "ssl" element in domain.xml
    <ssl ssl3-tls ciphers="...." ssl3-enabled="false" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as" tls-enabled="false"></ssl>

    To disable TLS 1.0

    Set the attribute tls-enabled="false"

    NOTE | This attribute may already exist and be disabled by default (set to false). If set to "true" change it to "false" to disable TLS 1.0)
    To disable TLS 1.1 Add an attribute tls11-enabled="false" after the tls-enabled="false" attribute, with the two attributes separated by a space
    To enable TLS 1.2 explicitly TLS v1.2 is enabled by default after setting the two properties above. If you want to still indicate it in domain.xml , add the attribute tls12-enabled="true" separated from the previous attribute by a space
  4. After making the above changes, the SSL element looks like:
    <ssl ssl3-tls ciphers="...." ssl3-enabled="false" classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl" cert-nickname="s1as" tls-enabled="false" tls11-enabled="false" tls12-enabled="true"></ssl>
​

STEP 4 NOTES 

  • Do not change any other attributes other than tls-enabled, tls11-enabled and tls12-enabled
  • The ciphers="...." attribute is indicated with ellipses(...) because there are many ciphers and we didn't include them above since they were not to be changed. The actual domain.xml contains the list of ciphers and they are not to be changed.

  1. Start the appserver
    <controller_home>/bin/controller.sh start-appserver

STEP 5 NOTE  Allow a few minutes for the appserver to start.

Test the Controller after disabling TLS 1.0 and 1.1

  1. To test whether the Controller now accepts TLS 1.0, TLS 1.1 and TLS 1.2 protocol you could use OpenSSL to test the connectivity and for TLS 1 (which is TLS 1.0) and TLS 1_1 (which is TLS 1.1) the connectivity fails with "handshake failure"
    openssl s_client -connect <controller_host>:<controller_ssl_port> -tls1
openssl s_client -connect <controller_host>:<controller_ssl_port> -tls1_1
openssl s_client -connect <controller_host>:<controller_ssl_port> -tls1_2​

STEP 6 NOTES 

  • The the <controller_ssl_port> is the port tied to "http-listener-2" in <controller_home>/appserver/glassfish/domains/domain1/config/domain.xml <network-listener port="<PORT>" protocol="http-listener-2" transport="tcp" name="http-listener-2" thread-pool="http-thread-pool"></network-listener>

  • <controller_host> is the hostname of the server on which the controller is installed
0 Karma
Comments
Claudia_Landiva
‎02-01-2023 12:52 PM
‎02-01-2023 12:52 PM

Hello, Everyone

The content change above is under step 3, "To disable TLS 1.1".
Other than that, I just reformated the article, to make it (hopefully!) more scannable for you.

Claudia Landivar
Community Manager & Editor

0 Karma
Version history
Last update:
‎05-30-2017 11:11 AM
Updated by: