How to allow TLSv1 and TLSv1.1 algorithms for TIBCO Streaming 10.6.2 and later
Article ID: KB0072895
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | 10.6 and later |
Description
The JDK that ships with TIBCO Streaming 10.6.2 (Java version 11.0.11) disables the older TLSv1 and TLSV1.1 algorithms by default. This change was made in April 2021, as noted in the Oracle JRE and JDK Cryptographic Roadmap (see the roadmap table row with date '2021-04-20' for details).
This change was made to discourage the use of older TLS protocol versions, which are less secure than TLSv1.2 and later.
However in some cases, you may have legacy code (i.e. operators/adapters/functions) in your application that cannot support TLSv1.2. In this case, you may configure the TIBCO Streaming JDK to allow TLSv1 and TLSv1.1 if needed.
Resolution
Like all Java installations, the Streaming JDK uses a java.security file (under $STREAMBASE_HOME/jdk/conf/security/) to configure Java security settings. In the java.security file, you will find the option 'jdk.tls.disabledAlgorithms'. Starting in TIBCO Streaming 10.6.2, this is set as follows:
Hence, TLSv1 and TLSv1.1 are not allowed by default.
To allow TLSv1 and TLSv1.1 algorithms for TIBCO Streaming 10.6.2 and later, you may take advantage of the override setting in the java.security file. This setting is named 'security.overridePropertiesFile'. Be sure this is set to 'true' in your java.security file (it is enabled by default).
Next, create an override security file named (for example) 'allowTLSv1andTLSv1.1.security'. Place this anywhere on your system that will be readable by your Streaming application. This file should contain the following:
Here, we have removed TLSv1 and TLSv1.1 from the disabledAlgorithms list. To implement this override in your Streaming application, add the 'java.security.properties' argument. This can be set in a StreamBase Engine HOCON configuration file under the project's src/main/configurations/ folder. For example:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves
Hence, TLSv1 and TLSv1.1 are not allowed by default.
To allow TLSv1 and TLSv1.1 algorithms for TIBCO Streaming 10.6.2 and later, you may take advantage of the override setting in the java.security file. This setting is named 'security.overridePropertiesFile'. Be sure this is set to 'true' in your java.security file (it is enabled by default).
Next, create an override security file named (for example) 'allowTLSv1andTLSv1.1.security'. Place this anywhere on your system that will be readable by your Streaming application. This file should contain the following:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves
Here, we have removed TLSv1 and TLSv1.1 from the disabledAlgorithms list. To implement this override in your Streaming application, add the 'java.security.properties' argument. This can be set in a StreamBase Engine HOCON configuration file under the project's src/main/configurations/ folder. For example:
name = "sample-StreamBaseEngine-document"
type = "com.tibco.ep.streambase.configuration.sbengine"
version = "1.0.0"
configuration = {
StreamBaseEngine = {
jvmArgs = [
"-Djava.security.properties=C:/path/to/allowTLSv1andTLSv1.1.security"
]
}
}
This will leave your existing java.security file unmodified, in case you do not wish to apply this override to all applications that make use of the TIBCO Streaming JDK installation.
Issue/Introduction
Outlines the procedure to allow TLSv1 and TLSv1.1 algorithms for legacy code that cannot support TLSv1.2 and later. TLSv1 and TLSv1.1 are now disabled by default in Streaming 10.6.2 and later.
Feedback
Yes
No
Powered by
