Enabling ML 4.4.3 to accept requests using TLS 1.2

Enabling ML 4.4.3 to accept requests using TLS 1.2

book

Article ID: KB0072337

calendar_today

Updated On:

Products Versions
TIBCO Cloud API Management - Local Edition 4.4.3 Hotfix 1

Description

Enabling ML 4.4.3 to accept requests using TLS 1.2: 
The purpose is to enable ML 4.4.3 to accept requests using TLS 1.2. You will first need to update to the latest ML 4.4.3 Hotfix 1 version. The attachment contains the following steps to enable Cluster Manager in pre-build ML 4.4.2 or 4.4.3 to accept requests using TLS 1.2.

Environment

Production

Resolution

Here are the steps to accept requests using TLS-1-2:

Running Cluster Manager with TLS v1.2 for Mashery Local 4.4.2 and 4.4.3
The following are the steps to enable Cluster Manager in pre-build ML 4.4.2 or 4.4.3 to accept requests using TLS 1.2.
1) Update the mirror list for Centos yum repo

sed -i -e 's/^mirrorlist/#mirrorlist/g' -e 's/^#baseurl=http:\/\/mirror.centos.org\/centos\/$releasever\//baseurl=http:\/\/vault.centos.org\/6.10\//g' /etc/yum.repos.d/CentOS-Base.repo

2) Upgrade installed components

yum -y upgrade

3) Verify before disabling TLS 1.0 and TLS 1.1

openssl s_client -connect 192.168.1.35:5480 -tls1_2

4) Install development tools

yum install -y autoconf automake libtool m4 pcre pcre-devel pkg-config bzip2-devel zlib-devel

5) download and build openssl

mkdir -p /opt/ein-9309/lighttpd
cd /opt/ein-9309/
wget --no-check-certificate https://openssl.org/source/openssl-1.0.2d.tar.gz
tar -xvf openssl-1.0.2d.tar.gz
cd openssl-1.0.2d
./config shared --openssldir=/opt/ein-9309/openssl
make
make install

6) Update lighttpd to lighttpd-1.4.48

mkdir -p /opt/ein-9309/lighttpd
cd /opt/ein-9309/
wget --no-check-certificate https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.48.tar.gz
tar -xvf lighttpd-1.4.48.tar.gz
cd lighttpd-1.4.48
./configure --with-openssl --with-openssl-libs=/opt/ein-9309/openssl/lib --with-openssl-includes=/opt/ein-9309/openssl/include --prefix=/opt/ein-9309/lighttpd
make
make install

7) update server modules Add/replace these in /opt/vmware/etc/lighttpd/lighttpd.conf:

server.modules += ("mod_openssl")
ssl.openssl.ssl-conf-cmd = ("Protocol" => "all,-SSLv2,-SSLv3,-TLSv1,-TLSv1.1")
ssl.engine                 = "enable"
ssl.pemfile                = "/opt/vmware/etc/lighttpd/server.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
ssl.disable-client-renegotiation = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.use-compression = "disable"

8) update vami-lighttp start up files

chmod +w /etc/init.d/vami-lighttp
rm -f /etc/init.d/vami-lighttp
cp /opt/vmware/etc/init.d/vami-lighttp /etc/init.d/vami-lighttp
chmod +wx /etc/init.d/vami-lighttp

Edit /etc/init.d/vami-lighttp:

# EIN-9309 - use lighttpd 1.4.48
#prog="vami-lighttpd"
#lighttpd="/opt/vmware/sbin/$prog"
prog="lighttpd"
lighttpd="/opt/ein-9309/lighttpd/sbin/$prog"
export LD_LIBRARY_PATH=/opt/ein-9309/openssl/lib:/usr/lib64

Restart lighttpd:

service vami-lighttp restart

A) Restart ova and verify

openssl s_client -connect 192.168.1.36:5480 -tls1_2

Expected esult:

CONNECTED(00000003)
depth=0 CN = www.tibco.com, O = TIBCO Software Inc., OU = Mashery, C = US
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = www.tibco.com, O = TIBCO Software Inc., OU = Mashery, C = US
verify error:num=9:certificate is not yet valid
notBefore=Apr 14 11:43:29 2022 GMT
verify return:1
depth=0 CN = www.tibco.com, O = TIBCO Software Inc., OU = Mashery, C = US
notBefore=Apr 14 11:43:29 2022 GMT
verify return:1
---
Certificate chain
 0 s:/CN=www.tibco.com/O=TIBCO Software Inc./OU=Mashery/C=US
   i:/CN=www.tibco.com/O=TIBCO Software Inc./OU=Mashery/C=US
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDJjCCAg4CCQDVEVLQhXDRCjANBgkqhkiG9w0BAQUFADBVMRYwFAYDVQQDEw13
d3cudGliY28uY29tMRwwGgYDVQQKExNUSUJDTyBTb2Z0d2FyZSBJbmMuMRAwDgYD
VQQLEwdNYXNoZXJ5MQswCQYDVQQGEwJVUzAeFw0yMjA0MTQxMTQzMjlaFw00OTA4
MzAxMTQzMjlaMFUxFjAUBgNVBAMTDXd3dy50aWJjby5jb20xHDAaBgNVBAoTE1RJ
QkNPIFNvZnR3YXJlIEluYy4xEDAOBgNVBAsTB01hc2hlcnkxCzAJBgNVBAYTAlVT
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwdTuTSePnjCtR3yHvC5a
e3mBZhcdmgea4jZshVgM2CXxa39yKH/njNagqIUdmafByMt8gwy1oMKM1NsE/xh6
0pkSi2DykEviReh8n8hs3ooK6RaeN4OBiVf31umctBvz/ducmiCGL9oFUJOju+TD
YRL6sVb1R7xuIBMONoy4W8lnXXMyMqfRkTuHkI6t6UPxfBX6glLTRBeFYPcFZXy2
v5l8G4wO6nIRzWZwbgJ+bVmHg8XcLTvwMl3c9v4HZSZxsCSwILMRXiNnSeaXrf8I
VP47dsbdmZoakhCT6LCebZFVRqao8ZTVR+qeBUerANovKlCWxT1klspAHeMSapPt
2wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQApwQ6L0J/OSO7fcA65Re0MUHnbVKr4
0LT0cs7545rFDxvH/eAyF82OchY1nAOhUPcK2UNsSvz0y6NiLrUIM1WD77u0fqOu
1c+FWiF75sqWc7MjvvMNJsjqu8ef303TDJoOIXWeYneOC1+3C7pm3yLI5uS59LZ2
jodPW9grKDPFXAKwD1PBrljgKqAJ2ijc+vVnnEJwUJkCbgcuuhpusxK0QqLu9djQ
JSauKrwuYK1Q9IlQtWkPNKGjYimV9rQY3A1ehPckZ4zNEeyFvEUZygLlL3XgLcX/
6GOA17PX9r+Zqhbzk3fXYzTFdv5btWRoX2gFEoxSaYpVlQr/k/mUyhak
-----END CERTIFICATE-----
subject=/CN=www.tibco.com/O=TIBCO Software Inc./OU=Mashery/C=US
issuer=/CN=www.tibco.com/O=TIBCO Software Inc./OU=Mashery/C=US
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1469 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 1D39D91DE9CD0F764DFB3B160B94741D30274CB0073C1B3B29AB6AC18B0CD5A6
    Session-ID-ctx:
    Master-Key: EA78D5F21B08589AE9836298855809B91C4830DA6ECA8989A7359C03291995B967ECCF9B6130C9B48D9417C19380FC68
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 50 70 10 b9 fb 64 74 5a-c4 b8 c2 3a 05 82 8a 95   Pp...dtZ...:....
    0010 - 1a 06 7b a9 ae 6a 0f 7f-9f cc 39 cc 40 1f 73 bd   ..{..j....9.@.s.
    0020 - 0b e8 7f a3 16 4d 43 ee-f8 48 e0 0d da 9a bb fe   .....MC..H......
    0030 - 4b b4 2b f1 60 91 38 85-9e 3b fa d1 0c 06 59 6a   K.+.`.8..;....Yj
    0040 - 1f a5 0c c0 d3 ca f5 96-f0 c6 52 e5 cc 50 a1 eb   ..........R..P..
    0050 - 66 c5 fe 5a 59 b6 6b 11-ca e5 ab 02 fe 34 82 57   f..ZY.k......4.W
    0060 - ac 70 24 94 c2 75 9d c9-c8 40 5f f3 ae e9 4b 87   .p$..u...@_...K.
    0070 - db 72 bc 3c 6c 7b 4c 80-df 4e d8 b1 f7 21 1d 0a   .r.<l{L..N...!..
    0080 - 94 7f 63 d5 e6 0e 53 64-2f 3e 5f ba 99 4d e8 80   ..c...Sd/>_..M..
    0090 - cf 80 05 f9 7a dd 7f 57-53 3f 7c 89 53 74 c4 5e   ....z..WS?|.St.^
 
    Start Time: 1649922476
    Timeout   : 7200 (sec)
    Verify return code: 9 (certificate is not yet valid)
---
 
 
HTTP/1.0 400 Bad Request
Content-Type: text/html
Content-Length: 349
Connection: close
Date: Thu, 14 Apr 2022 13:17:57 GMT
Server: lighty
 
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>400 - Bad Request</title>
 </head>
 <body>
  <h1>400 - Bad Request</h1>
 </body>
</html>
closed
 

Issue/Introduction

The purpose is to enable ML 4.4.3 to accept requesting using TLS 1.2. You will first need to update to the latest ML 4.4.3 Hotfix 1 version. The attachment contains the following steps to enable Cluster Manager in pre-build ML 4.4.2 or 4.4.3 to accept requests using TLS 1.2.

Attachments

Enabling ML 4.4.3 to accept requests using TLS 1.2 get_app
Powered by Wolken Software