Description: To fix the Poodle vulnerability (CVE-2014-3566 ):
- TIBCO has released TIBCO Runtime Agent (TRA) 5.9.0 hotfix-05 for our security implementation. Please refer LBN:43232 for TIBCO Runtime Agent 5.9.0 Hotfix-05.
- TIBCO has also released TIBCO Runtime Agent (TRA) 5.8.0 hotfix-08 for our security implementation. Please refer LBN:43917 for TIBCO Runtime Agent 5.8.0 Hotfix-08.
- TIBCO has also released TIBCO Runtime Agent (TRA) 5.7.4 hotfix-03 for our security implementation. Please refer LBN:43289 for TIBCO Runtime Agent 5.7.4 Hotfix-03.
Customers using TIBCO Runtime Agent 5.7.3 and below can use the manual steps given below to secure their Tomcat 5.x bundled with TIBCO Runtime Agent
5.7.3 and below .
Please NOTE these steps are needed only if you have configured your TIBCO Administrator to use HTTPS.Manual steps:
Edit the server.xml file present within <TIBCO_HOME>/administrator/domain/<domain name>/tomcat/conf
a) Remove the SslImplementationName and ciphersClass attribute from the server.xml file,
b) Remove the values of the attributes: aliasPass and keystorePass (start with #!) in the HTTPS connector , put the passwords in clear text.
c) Add the attributes sslProtocol="TLS" and sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2” in the HTTPS connector.
Example:
<!-- Original Entry in server.xml when we Enable HTTPS for Domain-->
<Connector port="28443" protocol="HTTP/1.1" SSLEnabled="true" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="10" scheme="https" secure="true"
keystoreFile="C:/tibco/administrator/domain/590FileSSLDomain/SSL/keystore" keystorePass="#!0VQznQdEeuNLcSdR9Y+JZdr8T/cagVlTIl50KNJdWyQ="
SslImplementationName="com.tibco.security.tomcat.TibcoJSSEImplementation" ciphersClass="AtLeast128Bit" sslProtocol="TLS"
keyAlias="tomcat_590filessldomain" aliasPass="#!0VQznQdEeuNLcSdR9Y+JZdr8T/cagVlTIl50KNJdWyQ="/>
<!-- CHANGES FOR POODLE -->
<Connector port="28443" protocol="HTTP/1.1" SSLEnabled="true" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="10" scheme="https" secure="true"
keystoreFile="C:/tibco/administrator/domain/590FileSSLDomain/SSL/keystore" keystorePass="password" sslProtocol="TLS"
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
keyAlias="tomcat_590filessldomain" aliasPass="password"/>
If you are using Tomcat 5.x bundled with TRA 5.6.x or 5.7.3 and below, please NOTE Tomcat 5.x is already in End Of Life status.TIBCO Support recommends upgrading to TIBCO Runtime Agent 5.9.0.However, if you want to manually disable SSLv3 in Tomcat 5.x, add attribute sslProtocols instead of sslEnabledProtocols in Server.xml, rest of the steps are same as listed for Tomcat 7.x.
sslProtocols = "TLSv1,TLSv1.1,TLSv1.2"
NOTE: "sslEnabledProtocols" is set to prevent SSLv3 vulnerabilities by forcing only TLS protocols ("Poodle" CVE-2014-3566) - this applies to Tomcat 7.X.
See: https://wiki.apache.org/tomcat/Security/POODLE.
If
the sslEnabledProtocols or sslProtocols (for Tomcat 5.x) attributes are specified, only protocols that
are listed and supported by the SSL implementation will be enabled.