How to disable Insecure Renegotiation for hawk webconsole

How to disable Insecure Renegotiation for hawk webconsole

book

Article ID: KB0084178

calendar_today

Updated On: 04-24-2017

Products Versions
TIBCO Hawk 5.x

Description

How to disable Insecure Renegotiation for Hawk Webconsole.

Issue/Introduction

How to disable Insecure Renegotiation for Hawk Webconsole.

Environment

All

Resolution

1). Make sure you have enabled SSL for Webconsole as detailed in Article 000030978.
2). Add the following property in your Hawk Webconsole Tomcat config SSL Connector.
HAWK_HOME/webconsole/tomcat/conf/server.xml
sslEnabledProtocols="TLSv1.2"  


Example : Entry in my environment 
==========
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" 
maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="10" scheme="https" secure="true" 
keystoreFile="E:/tibco/hawk520/hawk/5.2/webconsole/keystore"  keystorePass="password"   sslProtocol="TLS"       
sslEnabledProtocols="TLSv1.2"  ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" keyAlias="tomcat"
 aliasPass="password"/>

==========

To disable Insecure Renegotiation you need to disable the TLS protocol and enable the more secured TLS 1.2
After enabling sslEnabledProtocols, you can see with tls1 Secure Renegotiation IS NOT supported.
============================================================================================

C:\>openssl.exe s_client -connect localhost:8443 -tls1
Loading 'screen' into random state - done
CONNECTED(00000170)
80412:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:348:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1492720535
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

============================================================================================
C:\>openssl.exe s_client -connect localhost:8443 -tls1_2
Loading 'screen' into random state - done
CONNECTED(00000170)
depth=0 C = admin, ST = admin, L = admin, O = admin, OU = admin, CN = admin
verify error:num=18:self signed certificate
verify return:1
depth=0 C = admin, ST = admin, L = admin, O = admin, OU = admin, CN = admin
verify return:1
---
Certificate chain
 0 s:/C=admin/ST=admin/L=admin/O=admin/OU=admin/CN=admin
   i:/C=admin/ST=admin/L=admin/O=admin/OU=admin/CN=admin
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIES5XT+zANBgkqhkiG9w0BAQsFADBgMQ4wDAYDVQQGEwVh
ZG1pbjEOMAwGA1UECBMFYWRtaW4xDjAMBgNVBAcTBWFkbWluMQ4wDAYDVQQKEwVh
ZG1pbjEOMAwGA1UECxMFYWRtaW4xDjAMBgNVBAMTBWFkbWluMB4XDTE3MDQyMDIw
MjE1N1oXDTE3MDcxOTIwMjE1N1owYDEOMAwGA1UEBhMFYWRtaW4xDjAMBgNVBAgT
BWFkbWluMQ4wDAYDVQQHEwVhZG1pbjEOMAwGA1UEChMFYWRtaW4xDjAMBgNVBAsT
BWFkbWluMQ4wDAYDVQQDEwVhZG1pbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALXtOyZy6ka0uKK90KIEpzELT/aiKbE39JHFI/yd9NHgqSJ4hdW6nOq7
L+mvAlopTnqvTNPFoy3VZowr/pSYsX461Byt7YiTslszqvmDivSIPp/RMPYa7MDw
lw6OcKM6FxnC+OxguGGEVkmvQ2my0QVDHT4OWCNMr2MeOTZE1XPTDtqbNMfMdO9p
I8frDSGTIsiiaet0KUJuB4mQg29jHAUyXzQ3jh9kZSj5V0NBeJqGV5pAPjv+5I9l
L5qyqYN9j+nk4WmPw8UehzfCEfxG+jCZVfzA1GWGSkJqOH5BJHtkBDsah54Ecikr
DbVZ8az62ChWtaUdQ29z081cFT5oWDMCAwEAAaMhMB8wHQYDVR0OBBYEFEN4lZv+
3IswYKnzbKvRRL12jHpDMA0GCSqGSIb3DQEBCwUAA4IBAQBkKkuBSXWuG2Vskfbv
OCixlwx+XI2onDmMT3QTA9ePLg4cefGYJoyFSFzP3i2sdaJYibFL+BQ9D4wccS8N
TM9a8Dom/CYyAtZdtIrm+4HcNfbhN2ddqOjKlom9wc4KbeZ5xfttcqc5KosJOPvj
iK+6oi1MathnCfqGE+5vQuBjevmpwbzMFJuH/jgeHNXjOqGYI2uASklBYeJ5Ti1i
QZVKX0WLl+/p+RiF1zFGhbTqcrluheXEDeXsqV+gtYKgUd5EHtgEPRdZiRHIJCeH
gaO3HI/8t0ZxGIygNdt2HCoGo8FuFRcaN1v9kJJADqYtalKYjLEYEjYQAphWm3Qa
cCX1
-----END CERTIFICATE-----
subject=/C=admin/ST=admin/L=admin/O=admin/OU=admin/CN=admin
issuer=/C=admin/ST=admin/L=admin/O=admin/OU=admin/CN=admin
---
No client certificate CA names sent
---
SSL handshake has read 1696 bytes and written 503 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID: 58F91DCB4C833F290BB4BEA68AF0B82973D639352B4E0947F935C2C786784E17
    Session-ID-ctx:
    Master-Key: FF608BA2CD2C7D4DC804C29AD17796460866098B8CC854B6C99B2B67ACB51B11A5ADAC05A054340924173085F2BAE68C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1492721099
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
read:errno=10093