How to control SSL Security Versions and Ciphers for Inbound SSl connections in Gateway Server?
Article ID: KB0075496
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessConnect | 6.4.0, 7.0.0, 7.1.0, 7.2.0 |
Description
Due to security reasons, how to allow or restrict certain SSL Security Versions and Ciphers in Gateway Server?
Issue/Introduction
How to allow or restrict certain SSL security versions and ciphers in Gateway Server
Environment
ALL
Resolution
1. SSL Security Versions:
*********************************
To control SSL Security Versions, please add the below property in Gateway Server tra file (gsengine.tra)
java.property.bc.security.restrictVersion=<value>
If you specify the <value> say TLSv1.1, the Gateway Server would expect and allow all the SSL inbound connections with minimum security version as TLSv1.1 (or Higher). The inbound ssl connections with lower versions such as TLSv1, SSLv3 etc would be rejected.
added into the gsengine.tra file, the SSLv3 is allowed as the lowest security version for all inbound ssl connections.
Note: If you use TLS version 1.1 or 1.2, you have to select SUN or IBM as the security vendor for inbound (and outbound) socket operations in Administrator GUI > BusinessConnect > System Settings > Activated Protocol Plug-ins and Properties > BC > bc.securityVendor.sockets
Please see the section "Activated Protocol Plug-ins and Properties" in the book TIBCO BusinessConnect Trading Partner Administration for more information
2. Cipher Suites to use with SSL:
**************************************
To set a prioritized list of cipher suites to be used with SSL, please add the below property in Gateway Server tra file (gsengine.tra)
java.property.https.cipherSuites=<values>
The values can be a comma-separated list of supported cipher suites. The list depends on the Minimum Encryption Strength selected when you create a Gateway Services that uses HTTP transport.
For example, a value of TLS_RSA_WITH_RC4_128_SHA can be used to prioritize this cipher suite only if you selected "Only 128-Bit and Stronger" for the Gateway Service (Administrator GUI > BusinessConnect > Gateway > Gateway Services > Name of Http Service > Transport > Advanced > Minimum Encryption Strength).
Please see the section "Configuring Gateway Services" in the book TIBCO BusinessConnect Gateway Server Administration for more information about encryption and gateway services.
To troubleshoot this, please enable debug for the ssl connections, and follow the article: 000020228
*********************************
To control SSL Security Versions, please add the below property in Gateway Server tra file (gsengine.tra)
java.property.bc.security.restrictVersion=<value>
If you specify the <value> say TLSv1.1, the Gateway Server would expect and allow all the SSL inbound connections with minimum security version as TLSv1.1 (or Higher). The inbound ssl connections with lower versions such as TLSv1, SSLv3 etc would be rejected.
If the value of this property is not set, or If this property is not
added into the gsengine.tra file, the SSLv3 is allowed as the lowest security version for all inbound ssl connections.
Note: If you use TLS version 1.1 or 1.2, you have to select SUN or IBM as the security vendor for inbound (and outbound) socket operations in Administrator GUI > BusinessConnect > System Settings > Activated Protocol Plug-ins and Properties > BC > bc.securityVendor.sockets
Please see the section "Activated Protocol Plug-ins and Properties" in the book TIBCO BusinessConnect Trading Partner Administration for more information
2. Cipher Suites to use with SSL:
**************************************
To set a prioritized list of cipher suites to be used with SSL, please add the below property in Gateway Server tra file (gsengine.tra)
java.property.https.cipherSuites=<values>
The values can be a comma-separated list of supported cipher suites. The list depends on the Minimum Encryption Strength selected when you create a Gateway Services that uses HTTP transport.
For example, a value of TLS_RSA_WITH_RC4_128_SHA can be used to prioritize this cipher suite only if you selected "Only 128-Bit and Stronger" for the Gateway Service (Administrator GUI > BusinessConnect > Gateway > Gateway Services > Name of Http Service > Transport > Advanced > Minimum Encryption Strength).
Please see the section "Configuring Gateway Services" in the book TIBCO BusinessConnect Gateway Server Administration for more information about encryption and gateway services.
To troubleshoot this, please enable debug for the ssl connections, and follow the article: 000020228
Additional Information
TIBCO BusinessConnect Trading Partner Administration User Guide
TIBCO BusinessConnect Gateway Server Administration User Guide
TIBCO BusinessConnect Gateway Server Administration User Guide
Feedback
Yes
No
Powered by
