Steps to enable the SSL 3.0 protocol for Forge
Parallel Forge
Steps to enable the SSL 3.0 protocol for Log Server
Note
If you enable SSL 3.0 and TLS 1.0 -- for compatibility or any other reason -- you thereby make your application vulnerable to the serious threats against which TLSv1.1 and TLSv1.2 provide protection.
To enable the SSL 3.0 protocol, follow these steps:
Open
server.xml
at%ENDECA_TOOLS_ROOT%\server\workspace\conf
.Change
sslEnabledProtocols
tosslEnabledProtocols="SSLv3.0"
in the SSL connector.<Connector port="8443" SSLEnabled="true" protocol="org.apache.coyote.http11.Http11Protocol" maxPostSize="0" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslEnabledProtocols="SSLv3" keystoreFile="cert.ks" keystorePass="eacpass" truststoreFile="ca.ks" truststorePass="eacpass" URIEncoding="UTF-8"
Open
java.security
file in%ENDECA_TOOLS_ROOT%/server/j2sdk/jre/lib/security
.Uncomment the
jdk.tls.disabledAlgorithms
property and disable all protocols exceptSSLv3: "jdk.tls.disabledAlgorithms=TLSv1, TLSv1.1,TLSv1.2"
.
To enable the TLS 1.0 protocol, follow these steps:
Open
server.xml
at%ENDECA_TOOLS_ROOT%\server\workspace\conf
.Change
sslEnabledProtocols
tosslEnabledProtocols="TLSv1"
in the SSL connector.<Connector port="8443" SSLEnabled="true" protocol="org.apache.coyote.http11.Http11Protocol" maxPostSize="0" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslEnabledProtocols="TLSv1" keystoreFile="cert.ks" keystorePass="eacpass" truststoreFile="ca.ks" truststorePass="eacpass" URIEncoding="UTF-8"
Open
java.security
file in%ENDECA_TOOLS_ROOT%/server/j2sdk/jre/lib/security
.Uncomment the
jdk.tls.disabledAlgorithms
property and disable all other protocols exceptTLSv1:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1.1, TLSv1.2
Note
When the SSLv3 protocol is enabled for Forge, it must also be enabled for both Platform Services and Tools and Frameworks.
Open
DataIngest.xml
file atAPP_NAME/config/script
.See AlsoQualys DiscussionsPass extra argument "-sslv3" in "args" argument for Forge component.
<forge id="Forge" host-id="ITLHost"> <properties> <property name="numStateBackups" value="10" /> <property name="numLogBackups" value="10" /> </properties> <directories> <directory name="incomingDataDir">./data/incoming</directory> <directory name="configDir">./config/pipeline</directory> <directory name="wsTempDir">./data/workbench/temp</directory> </directories> <args> <arg>-vw</arg> <arg>--sslv3</arg> </args> <log-dir>./logs/forges/Forge</log-dir> <input-dir>./data/processing</input-dir> <output-dir>./data/forge_output</output-dir> <state-dir>./data/state</state-dir> <temp-dir>./data/temp</temp-dir> <num-partitions>1</num-partitions> <pipeline-file>./data/processing/pipeline.epx</pipeline-file> <ssl-config bean="sslConfig" ref="globalSslConfig"/> <!-- <credentials-map>CREDENTIALS_MAP</credentials-map> <jps-config-path>JPSCONFIG_LOCATION</jps-config-path> <opss-jars-dir>OPSS_JARS_DIR</opss-jars-dir> --> </forge>
Modify the "globalSslConfig" in APP_NAME/config/script/AppConfig.xml file to pass the ciphers that are supported for Forge when SSLv3 protocol is enabled.
Verify that the warning message "SSLv3 is enabled" is logged in
apps\APP_NAME\logs\forges\Forge\Forge.log
.
Note
To enable SSLv3 during Parallel Forge execution, add -sslv3
to the arguments while starting Forge as server and Forge as client.
Note
When the SSLv3 protocol is enabled for the Logserver, it must also be enabled for both Platform Services and Tools and Frameworks.
Open the
ReportGeneration.xml
file inAPP_NAME/config/script
.Specify "-sslv3" in an
<arg>
element:.<logserver id="LogServer" host-id="ReportGenerationHost" port="15010"> <properties> <property name="numLogBackups" value="10" /> <property name="targetReportGenDir" value="./reports/input" /> <property name="targetReportGenHostId" value="ReportGenerationHost" /> </properties> <args> <arg> --sslv3 </arg> <args> <log-dir>./logs/logservers/LogServer</log-dir> <output-dir>./logs/logserver_output</output-dir> <startup-timeout>120</startup-timeout> <gzip>false</gzip></logserver>
Modify the "globalSslConfig" in
APP_NAME
/config/script/AppConfig.xmlA warning message "SSLv3 is enabled" is logged in apps/APPNAME/logs\Logserver\Logserver.log.
Copyright © Legal Notices