This document is under revision.
Summary
This document explain how to disable ciphers that support less than a 128-bit cipher strength in ALM Jetty
Question
How to disable ciphers that support less than 128-bit cipher strength in Application Lifecycle Management (ALM) Jetty
Answer
Since Java version is what sets the supported ciphers, it is not possible to raise the level of cyphers in Jetty, but it is possible to disable the weak ciphers
To disable ciphers that support less than 128-bit cipher strength in ALM Jetty, we can proceed witht the following steps:
1. Open C:\ProgramData\HP\ALM\server\conf\jetty.xml
2. Add the highlighted section below as part of SslSocketConnector:
<New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
<Set name="host"><Property name="jetty.host" /></Set>
<Set name="Port">8443</Set>
<Set name="maxIdleTime">30000</Set>
<Set name="keystore">C:\certs\alm2_certificate.jks</Set>
<Set name="password">Y7u8i9o0</Set>
<Set name="keyPassword">Y7u8i9o0</Set>
<Set name="truststore">C:\certs\alm2_certificate.jks</Set>
<Set name="trustPassword">Y7u8i9o0</Set>
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
</Array>
</Set>
</New>
3. Restart ALM
4. Run the command SSLScan from any client (sslscan.exe –-no-failed <ALM server>:8443)
5. Observe-> it shows only 128 bits ciphers are supported (SSLv3 and TLSv1); see full results table below.
Note: This procedure disables certain weak ciphers (less than a 128-bit, MD5, etc) but still allows SHA1
Reference: