Established Member.. Nilay___
Established Member..
203 views

TLS SSL configuration problem

hello,

we have been using SSL for 3 years, now because of some ssl V3 security weakness we decided to continue with tls instead of ssl.

I want to make sure about the steps i'm gonna follow to cancell ssl and configure ssl settings. Could you warn me about the missing or extra steps?

1-) server conf parameters like following:

com.kintana.core.server.BASE_URL=http://tys.....
com.kintana.core.server.HTTP_PORT=80
com.kintana.core.server.ENABLE_SSL_LOGIN=true
com.kintana.core.server.HTTPS_PORT=443
com.kintana.core.server.HTTPS_WEB_THREAD_MIN=5
com.kintana.core.server.HTTPS_WEB_THREAD_MAX=75
com.kintana.core.server.HTTPS_PROTOCOL=TLS

and following parameters are the same like they used to be while we were using ssl

 

com.kintana.core.server.HTTPS_KEYSTORE_LOCATION
com.kintana.core.server.HTTPS_KEYPASSWORD

2-) for ie disable ssl and enable tls from tools-->internet options

 

3-) for mozilla from about:config set tls max and min parameters as 3 when i set parameters like above i can enable TLS

 

login, the problem is through this parameter settings i would only login by TLS not SSL but i when i test if i can login only

 

with SSL, i could successfuly login with SSL. So i could successfuly login both TLS and SSL, i need to disable SSL now.I can

 

control it through unchencking TLS V1,TLS V2 and TLS V3 and check SSL V2 and SSL V3  from internet options internet

 

options-->advanced-->security settings. I assueme by this setting i could only login ssl.is there any missing or wrong

 

configuration in my steps, what do i need to do disable SSL and login only with TLS?

thanks,
have a nice day.

0 Likes
15 Replies
Outstanding Contributor.. Loc_Nguyen_PPM Outstanding Contributor..
Outstanding Contributor..

Re: TLS SSL configuration problem

Hi Nilay,

 

So, now you just only want to login by TLS, right?

 

Did you try to change the below parameter like this

 

com.kintana.core.server.ENABLE_SSL_LOGIN=true

 

to

 

com.kintana.core.server.ENABLE_SSL_LOGIN=false

 

Then save the changes

 

Run kUpdate.html

 

Restart PPM server and try again.

 

 

Regards,

“HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.”
0 Likes
Established Member.. Nilay___
Established Member..

Re: TLS SSL configuration problem

hello vinhloc,

 

yes i tried to setting enable_ssl_login parameter  to false. Bu in this case i can't login with tls either i guess. Because ppm link never turns to https and when i check if 443 (https port) is active or not i see that it is not listened by netstat command. So i suppose that both ssl and tls are not active. Am i right?

 

thanks,

have a nice day.

0 Likes
Outstanding Contributor.. Loc_Nguyen_PPM Outstanding Contributor..
Outstanding Contributor..

Re: TLS SSL configuration problem

Hi Nilay,

 

Yes, after discuss with my colleague i can tell you that if  parameter com.kintana.core.server.ENABLE_SSL_LOGIN

is set to TRUE, https connection will be use to show the login page,  if it set to FALSE  when user try to login PPM, http will be used for login page, it mean no tls or ssl.

 

 

As you say in previous post that after you set parameter like bellow

 

com.kintana.core.server.BASE_URL=http://tys.....
com.kintana.core.server.HTTP_PORT=80
com.kintana.core.server.ENABLE_SSL_LOGIN=true
com.kintana.core.server.HTTPS_PORT=443
com.kintana.core.server.HTTPS_WEB_THREAD_MIN=5
com.kintana.core.server.HTTPS_WEB_THREAD_MAX=75
com.kintana.core.server.HTTPS_PROTOCOL=TLS

and following parameters are the same like they used to be while we were using ssl

 

com.kintana.core.server.HTTPS_KEYSTORE_LOCATION
com.kintana.core.server.HTTPS_KEYPASSWORD

 

You still can login to PPM by TLS and SSL, right ? Make sure that you are running kUpdate.html after changes something in server.conf file.

Now you just want to login to PPM via TLS, right? If you are set parameter like above it should login only via TLS because just only one  protocol can be used. 

 

The best practice is that you can use an external web server like IIS then configure TLS on IIS and integrate with PPM.

 

 

There is a way to disable SSL and enable TLS only on server side, you can take a look but my advice is you should try it on a non production environment.

 

http://tecadmin.net/enable-tls-on-windows-server-and-iis/

 

 

Hope it helps,

 

 

 

“HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.”
0 Likes
Established Member.. Nilay___
Established Member..

Re: TLS SSL configuration problem

hi Vinloch,

 

to make sure i stopped ppm and started agin after running update html command, but anything changed. On internet explorer internet options menu, i tried 4 cases like following:

 

1-)check SSL versions and uncheck TLS versions

2-)check TLS versions and uncheck SSL versions

3-)check both SSL and TLS

4-)uncheck both SSL and TLS

 

only on first 3 cases i can login https, on last case i can't load login page.

 

on mozilla firefox i changed following parameters, on first case i set both of them as "0", as far as i know it means TLS is deactive, and SSL3 is active. On second case i set both of them as "3", it means SSL is deactive and TLS is active. After internet explorer trial i suppose login with https on both two cases. But on second case i couldn't even load ppm login page and an error message like following appeared --> An error occurred during a connection to tys.ttnet.com.tr. Peer reports it experienced an internal error. (Error code: ssl_error_internal_error_alert) 

 

So is there any configuration that i need to set?

 

case 1:

 

security.tls.version.max=0

security.tls.version.min=0

 

case 2:

 

security.tls.version.max=3

security.tls.version.min=3

 

thanks,

Nilay

0 Likes
Outstanding Contributor.. Loc_Nguyen_PPM Outstanding Contributor..
Outstanding Contributor..

Re: TLS SSL configuration problem

Hi Nilay,

 

You can get more information about preference "security.tls.version.(min,max)." in the link bellow:

 

http://kb.mozillazine.org/Security.tls.version.*

 

Put this link in Firefox browser.

 

In the second case in Firefox you said that your are set 

 

security.tls.version.max=3

security.tls.version.min=3

 

3 meant TLS 1.2 is the minimum required / maximum supported encryption protocol. 

 

TLS 1.2 support has been added with NSS 3.15.1 for Gecko 24.0. TLS 1.1 and TLS 1.2 are not yet widely supported by many servers, and need finalization of some components in the Mozilla backend, thus SSL 3.0 and TLS 1.0 are currently supported by default. Can you try to set min and max value to 2 or 1.

 

Could you tell me Firefox version you are using ?

 

 

Regards,

“HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.”
0 Likes
Established Member.. Nilay___
Established Member..

Re: TLS SSL configuration problem

hello Vinhloc,

 

I'm using 34.0.5 version. I have already tried both 1 and 2 for max and min values. But i could't open login page either with this setting. Only when both of them rare set to '0' i can login.

 

thanks,

have a nice day.

0 Likes
Outstanding Contributor.. Loc_Nguyen_PPM Outstanding Contributor..
Outstanding Contributor..

Re: TLS SSL configuration problem

Hi Nilay,

 

So, you still can login to PPM by TLS and SSL via Internet Explorer ? If so, give me an screenshot on Advance tab to show what protocol you selected.

 

On Firefox browser you can only login to PPM if you set min and max to 0, right ?

 

Also, i would like to tell you that you are using an unsupported browser version, now HP PPM
supports Firefox as a browser only up to v24. In this regards I suggest you to use Firefox version v24 instead of 34.x.

 

 

Regards,

“HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.”
0 Likes
teetotal Absent Member.
Absent Member.

Re: TLS SSL configuration problem

com.kintana.core.server.HTTPS_PROTOCOL=TLS (which is default value)

 

So only TLS is enabled. SSL v3 is not enabled.

 

 

0 Likes
teetotal Absent Member.
Absent Member.

Re: TLS SSL configuration problem

Sorry, I did not notice that you still can log in PPM with SSL.

 

Here is official document of JBoss.

 

https://access.redhat.com/solutions/1232233

 

So please set

com.kintana.core.server.HTTPS_PROTOCOL=TLSv1,TLSv1.1,TLSv1.2

 

 

 

Outstanding Contributor.. Loc_Nguyen_PPM Outstanding Contributor..
Outstanding Contributor..

Re: TLS SSL configuration problem

Hi teetotal,

 

Im not sure these value is valid or not because i saw the valid values for this parameter is : TLS, SSL

Hi Nilay, can you try with this suggestion and let we know the result ?

 

 

 

Regards,

“HP Support
If you find that this or any post resolves your issue, please be sure to mark it as an accepted solution.”
0 Likes
Gong_Yi Absent Member.
Absent Member.

Re: TLS SSL configuration problem

Because current PPM patch mechanism, the configuration default value can only be change in the major release. So I'm afraid you have to change the configuration and redeploy manully.

0 Likes
teetotal Absent Member.
Absent Member.

Re: TLS SSL configuration problem

Please see attachment.

0 Likes
teetotal Absent Member.
Absent Member.

Re: TLS SSL configuration problem

Updated

0 Likes
teetotal Absent Member.
Absent Member.

Re: TLS SSL configuration problem

Updated.

 

I have tested the solution in 9.3x.

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.