Environment
Reflection for the Web 2014 (All Editions)
Reflection for the Web 2011 (All Editions)
Reflection for the Web 2008 (All Editions)
Reflection Security Gateway 2014 (All Editions)
Reflection Security Gateway 2011
Reflection for the Web 2011 (All Editions)
Reflection for the Web 2008 (All Editions)
Reflection Security Gateway 2014 (All Editions)
Reflection Security Gateway 2011
Situation
To avoid the 'POODLE' vulnerability, SSL 3.0 can be disabled. This technical note describes how to configure Reflection for the Web and Reflection Security Gateway use TLS protocols only.
Note the following:
- In a future release of these products, SSL 3.0 will be disabled by default to minimize the chance that the POODLE vulnerability can be exploited. For more information, see the POODLE alert in https://support.microfocus.com/security/.
- For additional client-side security, SSL 3.0 support should be disabled in the Java Control Panel. See KB 7022190 for instructions.
Resolution
Procedure
To configure Reflection for the Web or Security Gateway to use only TLS protocols:
- In Reflection for the Web emulation and file transfer applets:
- Go to Connection Setup > SSL/TLS dialog, and select TLS 1.2, TLS 1.0.
- Save changes.
- In the Security Proxy Wizard:
- Go to Advanced Settings and uncheck SSL 3.0.
- Restart the Security Proxy Server service.
- Reflection for the Web and
Security Gateway ship with Apache Tomcat as the default Servlet runner,
which supports SSL 3.0. Edit the Apache Tomcat configuration to
explicitly enable TLS support:
- Note your version of Apache Tomcat, verified in RELEASE-NOTES located in the Attachmate/ReflectionServer/apache-tomcat directory.
- Open server.xml file in a text editor. This file is located in the apache-tomcat/conf directory of your Tomcat installation.
- Locate the following two connectors in the server.xml file:
<!-- Define an SSL Coyote HTTP/1.1 Connector.
<!-- Define an SSL HTTP/1.1 Connector for X.509 client authentication.
- At the end of each connector, you will see sslProtocol="TLS." Revise these as follows:
Tomcat 6.0.38 and later:
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
Tomcat 6.0.36 and earlier:
Protocols="TLSv1, TLSv1.1, TLSv1.2"
- Save the file and restart the ReflectionServer service.