Environment
Verastream Host Integrator 7.7 Service Pack 1
Nessus Professional Security Scan (Tenable Software, Inc.)
Situation
- A security scanner utility such as Nessus Professional has identified that TCP/IP port 8443 on your Verastream Host Integrator (VHI) server allows TLS 1.0 encryption for connections.
- Your organization has a policy that only TLS 1.2 will be allowed for production servers.
Resolution
Option 1:
If your VHI solution is not using the Verastream Host Integrator Web Server, you can safely turn this service off. In the properties for this service, set "startup type" to "disabled". The Verastream Host Integrator Web Server is only used for "HTML5 Web Applications" generated by the Verastream WebBuilder utility, and some older "legacy" types of web applications. It is not used by VHI SOAP or REST web services provided by VHI version 7.0 and later.
Option 2:
To enforce TLS 1.2 as the minimum supported version for the VHI Web Server service:
- Use VHI version 7.7 with Service Pack 1
- Edit this file: C:\Program Files\Attachmate\Verastream\HostIntegrator\servletengine\conf\container.conf
- Change "wrapper.java.additional.9=-Dmin.supported.tls.protocol=TLSv1" to "wrapper.java.additional.9=-Dmin.supported.tls.protocol=TLSv1.2"
- Restart the VHI Web Server service.