Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Jan 28, 2016
Problem Summary
Customer wants to disable SSL protocol and enable TLSv1.2 for Administrative UI access due to recent Poodle & BEAST (CVE-2011-3389) vulnerability with SSLv3.0/TLSv1.0
What determines the embedded JBOSS supportability to various SSL/TLS protocols?
The version of SSL/TLS protocol supported by JBoss Application server depends on the JDK/JRE that it uses.
Now, here is the supportability chart across different version for JDK.
Reference : https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https
Does Admin UI R12.52SP1 CR7 Supports TLS v1.2 ?
The standalone Admin UI installer for R12.52 SP1 CR7 installs following JBOSS and JRE version :
- JBOSS Version : 5.1.0 GA
- JRE : 1.6 Update 45 ( JRE is installed under <AdminUI_install_directory>/runtime/)
So, unfortunately, R12.52 SP1 CR7 Admin UI does NOT support TLSv1.2 protocol as the underlying JRE 1.6 does not support it.
Also note the following:
- Customer also cannot simply upgrade their JRE to 1.7 as the JBOSS 5 is not certified with JRE 1.7.
What Next ?
For r12.52SP1.CR.XX
We already have couple of ticket opened with our sustaining engineering to enable TLS v1.2 support for Admin UI.
Most likely engineering will fix this issue by upgrading JBoss and JRE in the upcoming CR for r12.52 SP1.
This post will be updated when that happens.
(Update : As of 29/06/2017 or 12.52SP1CR7 doesn't' have support for this yet)
For r12.52SP2
Admin UI for r12.52SP2 now bundles embedded JBoss 8.2 & JDK 1.8 for the standalone installation.
TLS 1.2 is enabled by default in the Jboss configuration as well.
This is done by setting enabled-protocols flag in admin_ui_installation_dir\standalone\configuration\ standalone.xml file.
to enabled-protocols=" TLSv1.1,TLSv1.2" as below :
<https-listener name="https" socket-binding="https" security-realm="SSLRealm" enabled-protocols="TLSv1.1,TLSv1.2"
Reference : https://docops.ca.com/ca-single-sign-on-1252sp2/en/installing/install-the-administrative-ui/install-the-administrative-ui-on-windows-stand-alone