Blog Viewer

Tech Tip - CA Single Sign-On:Administrative UI: Does the standalone Admin UI installation support TLSv1.2 ?

By Ujwol posted 01-27-2016 08:26 PM

  

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Jan 28, 2016

 

Problem Summary

 

Customer wants to disable SSL protocol and enable TLSv1.2 for Administrative UI access due to recent Poodle & BEAST (CVE-2011-3389) vulnerability with SSLv3.0/TLSv1.0

 

What determines the embedded JBOSS supportability to various SSL/TLS protocols?

 

The version of SSL/TLS protocol supported by JBoss Application server depends on the JDK/JRE that it uses.

Now, here is the supportability chart across different version for JDK.

 

JDK 8
(March 2014 to present)
JDK 7
(July 2011 to present)
JDK 6
(2006 to end of public updates 2013)
TLS ProtocolsTLSv1.2 (default)
TLSv1.1
TLSv1
SSLv3
TLSv1.2
TLSv1.1
TLSv1 (default)
SSLv3

 

TLSv1 (default)
SSLv3
JSSE Ciphers:Ciphers in JDK 8Ciphers in JDK 7Ciphers in JDK 6
Reference:JDK 8 JSSEJDK 7 JSSEJDK 6 JSSE
Java Cryptography Extension, Unlimited Strength (explained later)JCE for JDK 8JCE for JDK 7JCE for JDK 6

 

Reference : https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https

 

Does Admin UI R12.52SP1 CR7 Supports TLS v1.2 ?

 

The standalone Admin UI installer for R12.52 SP1 CR7 installs following JBOSS and JRE version :

 

  • JBOSS Version : 5.1.0 GA
  • JRE : 1.6 Update 45 ( JRE is installed under <AdminUI_install_directory>/runtime/)

 

So, unfortunately, R12.52 SP1 CR7 Admin UI does NOT support TLSv1.2 protocol as the underlying JRE 1.6 does not support it.

Also note the following:

  • Customer also cannot simply upgrade their JRE to 1.7 as the JBOSS 5 is not certified with JRE 1.7.

 

What Next ?

 

For r12.52SP1.CR.XX

 

We already have couple of ticket opened with our sustaining engineering to enable TLS v1.2 support for Admin UI.

Most likely engineering will fix this issue by upgrading JBoss and JRE in the upcoming CR for r12.52 SP1.

This post will be updated when that happens.

(Update : As of 29/06/2017 or 12.52SP1CR7 doesn't' have support for this yet) 

 

For r12.52SP2

 

Admin UI for r12.52SP2 now bundles embedded JBoss 8.2 & JDK 1.8 for the standalone installation.

TLS 1.2 is enabled by default in the Jboss configuration as well.

 

This is done by setting enabled-protocols flag in  admin_ui_installation_dir\standalone\configuration\ standalone.xml file.

to  enabled-protocols=" TLSv1.1,TLSv1.2" as below :

 

<https-listener name="https" socket-binding="https" security-realm="SSLRealm" enabled-protocols="TLSv1.1,TLSv1.2"

 

Reference : https://docops.ca.com/ca-single-sign-on-1252sp2/en/installing/install-the-administrative-ui/install-the-administrative-ui-on-windows-stand-alone