AGM SSL configuration best practice

Document ID:KM02061609
Creation Date:18-Jan-2016
Modified Date:21-Jan-2016
- Micro Focus Products:
  agile manager 2.0
  
  agile manager 2.1
  
  agile manager 2.20
  
  agile manager 2.30
  
  agile manager 2.40

Summary

This is a best practice article about how to configure AGM SSL

Question

This article provides a best practice for configuring the AGM SSL properly. Proper SSL configuration disables weak protocol(SSLv3) and enables only strong ciphers and thus mitigates your AGM instance against:

1. Poodle SSL vulnerability.
2. Bar Mitzvah vulnerability.
3. LogJam vulnerability.

Answer

To configure the SSL settings correctly, please add the highlighted parts to the definition of the Jetty SSL connector:

<Configure id="Server" class="org.eclipse.jetty.server.Server">

<New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
     <Set name="ExcludeProtocols">
         <Array type="java.lang.String">
             <Item>SSLv3</Item>
         </Array>
     </Set>
</New>

<Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
        <Arg><Ref id="sslContextFactory" /></Arg>
        <Set name="IncludeCipherSuites">
          <Array type="java.lang.String">
             <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
             <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
             <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
          </Array>
        </Set>
      </New>
    </Arg>
</Call>

</Configure>