Tech Tip - CA Single Sign-On:Administrative UI: Does the standalone Admin UI installation support TLSv1.2 ?

View Only

Tech Tip - CA Single Sign-On:Administrative UI: Does the standalone Admin UI installation support TLSv1.2 ?

By Ujwol posted Jan 27, 2016 08:26 PM

Recommend

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Jan 28, 2016

Problem Summary

Customer wants to disable SSL protocol and enable TLSv1.2 for Administrative UI access due to recent Poodle & BEAST (CVE-2011-3389) vulnerability with SSLv3.0/TLSv1.0

What determines the embedded JBOSS supportability to various SSL/TLS protocols?

The version of SSL/TLS protocol supported by JBoss Application server depends on the JDK/JRE that it uses.

Now, here is the supportability chart across different version for JDK.

	JDK 8 (March 2014 to present)	JDK 7 (July 2011 to present)	JDK 6 (2006 to end of public updates 2013)
TLS Protocols	TLSv1.2 (default) TLSv1.1 TLSv1 SSLv3	TLSv1.2 TLSv1.1 TLSv1 (default) SSLv3	TLSv1 (default) SSLv3
JSSE Ciphers:	Ciphers in JDK 8	Ciphers in JDK 7	Ciphers in JDK 6
Reference:	JDK 8 JSSE	JDK 7 JSSE	JDK 6 JSSE
Java Cryptography Extension, Unlimited Strength (explained later)	JCE for JDK 8	JCE for JDK 7	JCE for JDK 6

Reference : https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https

Does Admin UI R12.52SP1 CR7 Supports TLS v1.2 ?

The standalone Admin UI installer for R12.52 SP1 CR7 installs following JBOSS and JRE version :

JBOSS Version : 5.1.0 GA
JRE : 1.6 Update 45 ( JRE is installed under <AdminUI_install_directory>/runtime/)

So, unfortunately, R12.52 SP1 CR7 Admin UI does NOT support TLSv1.2 protocol as the underlying JRE 1.6 does not support it.

Also note the following:

Customer also cannot simply upgrade their JRE to 1.7 as the JBOSS 5 is not certified with JRE 1.7.

What Next ?

For r12.52SP1.CR.XX

We already have couple of ticket opened with our sustaining engineering to enable TLS v1.2 support for Admin UI.

Most likely engineering will fix this issue by upgrading JBoss and JRE in the upcoming CR for r12.52 SP1.

This post will be updated when that happens.

(Update : As of 29/06/2017 or 12.52SP1CR7 doesn't' have support for this yet)

For r12.52SP2

Admin UI for r12.52SP2 now bundles embedded JBoss 8.2 & JDK 1.8 for the standalone installation.

TLS 1.2 is enabled by default in the Jboss configuration as well.

This is done by setting enabled-protocols flag in admin_ui_installation_dir\standalone\configuration\ standalone.xml file.

to enabled-protocols=" TLSv1.1,TLSv1.2" as below :

<https-listener name="https" socket-binding="https" security-realm="SSLRealm" enabled-protocols="TLSv1.1,TLSv1.2"

Reference : https://docops.ca.com/ca-single-sign-on-1252sp2/en/installing/install-the-administrative-ui/install-the-administrative-ui-on-windows-stand-alone

0 comments

4 views

Symantec SiteMinder