About this task
The
HCL Launch
Server uses different communication protocols that rely on SSL at the transport level:
-
HTTPS for displaying the user interface
-
LDAP to connect to LDAP and Active Directory servers
-
JDBC to connect to the database containing the schema of the
HCL Launch
server application
The material that follows explains how to enforce the usage of
TLSv1.2.
Environment
Enforcing TLS 1.2 is possible if the
HCL Launch
server, relay, and agent are running a JVM version that supports this protocol. For more
information on such JVM versions, see:
Oracle JRE
and JDK Cryptographic Roadmap
. For connections to external tools (LDAP servers, Database
servers, and middleware that the plug-ins deploy to), consider that the connections fail if those
external tools do not support TLSv1.2 after you enforce it as the only supported protocol in
HCL Launch
.
HCL Launch
Server: HTTPS protocol
The HTTPS protocol is configured in this file:
<server>/opt/tomcat/conf/server.xml
.
This file contains the following
relevant
entries:
<Connector port="${install.server.web.https.port}"
address="${install.server.web.ip}"
server="SERVER"
maxThreads="150"
enableLookups="false"
acceptCount="100"
debug="0"
connectionTimeout="20000"
disableUploadTimeout="true"
compression="1024"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,text/css,text/plain,application/json"
algorithm="${install.server.ssl.algorithm}"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
URIEncoding="UTF-8"
ciphers="${install.server.ssl.enabledCiphers}"
sslEnabledProtocols="${install.server.ssl.enabledProtocols}"
keystoreFile="${tomcat.keystore.file}"
keyAlias="${tomcat.key.alias}"
keystorePass="${tomcat.keystore.password}" />
enforce TLSv1.2, add or modify the install.server.ssl.enabledProtocols=TLSv1.2
property in this file:<server>/conf/server/installed.properties. Note that
this property might be missing, or it might be present and have a different value, including an
empty value. The property is referred to as:
${install.server.ssl.enabledProtocols} in the server.xml
and installed.properties files. HCL Launch Server: LDAP integration
The
HCL Launch server uses the LDAP client that is contained in the JRE that is running on the server. You must
specify a URL for the LDAP server, which uses the
ldaps:// protocol that uses port
636 but dault to connect through SSL or TLS.
Note: The
install.server.ssl.enabledProtocols file changes the SSLContext which might
affect the LDAP connection that is opened.
HCL Launch Server: JDBC connection to the database server
JDBC is used to connect HCL Launch to the backend database.
DB2
See configuring SSL support in a DB2 instance. Configure the DB2
instance according to the instructions, and test after you compete the
configuration.
Postgres
Connection string:
connectionString=jdbc:postgresql://dbhost/dummy?ssl=true jdbcDriver=org.postgresql.Driver
jdbcJar=C:\IBM\UCD\ucd6.2.3\623agent1\postgresql-42.1.4.jar.
Import the database
certificate to the HCL Launch Agent Java keystore.
The latest available plug-in version is Version 11, see . Microsoft SQL Server
Your Microsoft SQL Server must support TLS v1.2. You must have the right FixLevel and KB 3052404
installed.
Enable TLS v1.2.
- Depending on the Microsoft SQL Server JDBC type 4 driver version you can pass in the JDBC a
connection string that enforces the TLS 1.2 ;sslProtocol=TLSv1.2. protocol.
- You can enforce TLS v1.2 on the JRE level that runs the HCL Launch server. Enabling TSLv1.2 has the following results:
- Outgoing connections to the LDAP database all are made with TLS v1.2.
- Incoming connections from HCL Launch agents, HCL Launch agent relays, and WebUI require TLS v1.2.
These results can be undesirable if one of the involved components does not support TLS
v1.2. You must make sure that the JDBC drivers support TLS v1.2. To ensure this support, change the
jdk.tls.disabledAlgorithms line in
jre/lib/security/java.security to jdk.tls.disabledAlgorithms=SSLv3,
TLSv1, TLSv1.1. You can also pass the ucd-server/bin/set_env
JAVA_OPTS string through a java.security file.
Note: You cannot disable the SSLv2Hello, because it is used as the initial handshake from the
HCL Launch agents with the HCL Launch server.
- For the JDBC connection string:
See understanding SSL Support.
The
encrypt=true uses TLS/SSL.
Do not blanket
trustServerCertificate=false. Every SSL certificate from Microsoft SQL server
uses the default JRE's trust store jre/lib/security/cacerts.
Use
hostNameInCertificate=yes to verify that DNS and
SubjectAltName in the SSL certificate are the same.
For
trustStore=/my/own/trustStore.jks, do not use the default JRE's trust store
jre/lib/security/cacert, use a separate one.
The
trustStorePassword=changeit is the password for the trust store.
Oracle
To enforce TLSv1.2 for Oracle12c:
- Ensure that you have a JDBC driver version higher than 12.2.0.1
- In the file <ucd-server>/bin/set_env.sh append the following
-D argument -Doracle.net.ssl_version='1.2' in the value you
currently set for JAVA_OPTS variable.
- Restart HCL Launch server.
HCL Launch Agent
To add the protocol to
HCL Launch agents using HTTPS to talk to the
HCL Launch server:
- Add new line
-Djdk.tls.client.protocols=TLSv1.2 in
agent-home/bin/worker-args.conf.
Step running on
HCL Launch agent:
- Add new line
-Djdk.tls.client.protocols=TLSv1.2 to
agent-home/conf/plugin-javaopts.conf.
