×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Shravani_G_N
New Member
Member since: ‎10-05-2020
‎02-28-2025
Community Statistics
Posts 1
Solutions 0
Karma Given 2
Karma Received 3
Member Since ‎10-05-2020
View All

How do I mitigate weak SSL/TLS key exchanges for t...

by in AppDynamics Knowledge Base
‎06-30-2023 06:27 PM
3 Karma
‎06-30-2023 06:27 PM
3 Karma
Configuring the on-premises Controller to use stronger Key Exchanges You may want to change the SSL/TLS configuration of the on-premises Controller to allow only strong key exchanges. This can be done by defining a minimum key size for Diffie Hellman Key Exchanges.  Here is the procedure:  If Controller Version < 23.11: Take a backup of the file, <controller_home>/appserver/glassfish/domains/domain1/config/domain.xml and make the following change:  FROM - § <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options> CHANGE TO - § <jvm-options>-Djdk.tls.ephemeralDHKeySize=prefered_key_size</jvm-options> § <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options> EXAMPLE -  § <jvm-options>-Djdk.tls.ephemeralDHKeySize=2048</jvm-options> § <jvm-options>-javaagent:${com.sun.aas.instanceRoot}/appagent/javaagent.jar</jvm-options> Take a backup of <jre_used_by_the_controller>/lib/security/java.security and make the following change:  FROM - § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves CHANGE TO - § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < prefered_key_size, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves EXAMPLE - § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Restart the Controller Appserver for the change to take effect. NOTE | This step involves Controller downtime.  Rediscover the Controller back to EC.  If Controller Version >= 23.11 Take a backup of <jre_used_by_the_controller>/lib/security/java.security and make the following change:  FROM - § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves CHANGE TO - § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < prefered_key_size, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves EXAMPLE - § jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves Access the Enterprise Console GUI. Login. Select the Platform. Go to the Configurations Tab. Click on Controller Settings > Appserver Configurations > JVM Options. Go to the section JVM Config, and add the following JVM Argument: -Djdk.tls.ephemeralDHKeySize=prefered_key_size EXAMPLE:  -Djdk.tls.ephemeralDHKeySize=2048 Click on Save at the bottom of the screen.            NOTE | This step involves Controller downtime.  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-28-2025 11:09 PM
Karma from
Karma given to