AppDynamics Knowledge Base
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Learn Splunk
- :
- Learn Splunk Knowledge Base
- :
- AppDynamics Knowledge Base
- :
- How do I mitigate weak SSL/TLS key exchanges for t...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark Topic
- Subscribe to Topic
- Printer Friendly Page
- Report Inappropriate Content
How do I mitigate weak SSL/TLS key exchanges for the on-prem Controller?
How do I mitigate weak SSL/TLS key exchanges for the on-prem Controller?
Configuring the on-premises Controller to use stronger Key Exchanges
You may want to change the SSL/TLS configuration of the on-premises Controller to allow only strong key exchanges. This can be done by defining a minimum key size for Diffie Hellman Key Exchanges.
Here is the procedure:
If Controller Version < 23.11:
- Take a backup of the file,
<controller_home>/appserver/glassfish/domains/domain1/config/domain.xmland make the following change:
FROM -§ <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options>CHANGE TO -
§ <jvm-options>-Djdk.tls.ephemeralDHKeySize=prefered_key_size</jvm-options> § <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options>EXAMPLE -
§ <jvm-options>-Djdk.tls.ephemeralDHKeySize=2048</jvm-options> § <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options> - Take a backup of
<jre_used_by_the_controller>/lib/security/java.securityand make the following change:
FROM -
CHANGE TO -§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves
EXAMPLE -§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < prefered_key_size, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves -
Restart the Controller Appserver for the change to take effect.
NOTE | This step involves Controller downtime.
-
Rediscover the Controller back to EC.
If Controller Version >= 23.11
- Take a backup of
<jre_used_by_the_controller>/lib/security/java.securityand make the following change:
FROM -§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves
CHANGE TO -§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < prefered_key_size, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves
EXAMPLE -§ jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves - Access the Enterprise Console GUI. Login.
- Select the Platform.
- Go to the Configurations Tab.
- Click on Controller Settings > Appserver Configurations > JVM Options.
- Go to the section JVM Config, and add the following JVM Argument:
-
-Djdk.tls.ephemeralDHKeySize=prefered_key_size - EXAMPLE:
-
-Djdk.tls.ephemeralDHKeySize=2048
-
-
- Click on Save at the bottom of the screen.
NOTE | This step involves Controller downtime.
