Software AG Products 10.11 | Administering Integration Server | Configuring Ports | Disabling Protocols for JSSE per Port
 
Disabling Protocols for JSSE per Port
You can disable protocols for JSSE on a per port basis. This applies to HTTPS and FTPS ports only. The protocols disabled on a per port basis take precedence over those specified in watt.net.jsse.server.disabledProtocols, which specifies disabled protocols for inbound JSSE connections across the server. The unsupported protocols for a port can be more or less restrictive than the protocols disabled server-wide via the watt.net.jsse.server.disabledProtocols parameter.
*To disable protocols for JSSE per port
1. Shut down Integration Server as described in Shutting Down the Integration Server.
2. Open the following file in text editor:
Integration Server_directory /instances/instanceName/packages/packageName/listeners.cnf
where instanceName is the name of the Integration Server instance and packageName is the name of the package associated with the port.
3. In the listeners.cnf file, locate the record for the HTTPS and FTPS ports for which you want to disable protocols.
For example,
*if you want to make changes to an HTTPS port 5333, the port record will start with the following:
<record name="HTTPSListener@5333" javaclass="com.wm.util.Values">
*if you want to make changes to an FTPS port 4602, the port record will start with the following:
<record name="FTPSListener@4602" javaclass="com.wm.util.Values">
4. After the <value name="useJSSE">true</value> entry in the port record, add the following entry:
<value name="jsseEnabledProtocols">SSLprotocols</value>
where SSLprotocols is a comma-separated list of the SSL protocol versions that the port does not support.
For example, to enable TLS 1.2 and TLS 1.3 versions for the port (if TLS 1.3 is supported on your Integration Server) and disable all other protocols, add the following:
<value name="jsseDisabledProtocols">SSLv2Hello,SSLv3,TLSv1,TLSv1.1</value>
Note:
To prevent a protocol downgrade during negotiation, set SSLprotocols to disable all protocol versions except one or two protocols that are TLSv1.2 and higher.
5. Save your changes and close the text editor.
6. Restart Integration Server.
Note:
The jsseDisabledProtocols value specified for the port record in the listeners.cnf file overrides the value set by watt.net.jsse.server.disabledProtocols server configuration parameter.
At the default Info log level, Integration Server writes a message to indicate the enabled protocols when starting the inbound and outbound ports. When the logging facility 0006 Server SSL Interface is set to the Debug logging level, Integration Server writes messages about supported and enabled protocols used for inbound and outbound ports to the server log. (Integration Server creates an outbound port as part of establishing an outbound SSL connection.) At the Trace logging level, Integration Server writes messages about the enabled cipher suites. You can use these server log messages to confirm the enabled protocols for any JSSE port.