Software AG Products 10.11 | Administering Integration Server | Configuring Integration Server for Secure Communications | Configuring Integration Server as an SSL Server
 
Configuring Integration Server as an SSL Server
 
Configuring an HTTPS or FTPS Port
In addition to the general SSL configuration tasks identified in Preparing to Configure SSL in Integration Server , to configure Integration Server as an SSL server, you must also create ports, specify enabled SSL/TLS protocols, and set the allowed cipher suites.
To configure Integration Server as an SSL server, complete the following the SSL-server specific tasks:
1. Add an HTTPS or FTPS port. If an HTPS and FTPS ports are not yet defined, you must create one. This is required for one-way and two-way SSL authentication.
If you want to allow only secure connections to the server:
*Ensure that the primary port uses an HTTPS port.
*Delete all other non-HTTPS ports.
Add additional HTTPS or FTPS ports as required.
For more information about creating ports, see Configuring Ports.
2. Specify SSL/TLS protocols for inbound communication. To specify the allowed SSL/TLS protocols for communication with an Integration Server acting as an SSL server, you actually identify which SSL/TLS protocols are explicitly disabled in the watt.net.jsse.server.disabledProtocols server configuration parameter.
For more information regarding how Integration Server uses the disabled list of SSL/TLS protocols to determine which SSL/TLS protocols are allowed, see Supported SSL/TLS Protocols.
You can disable SSL/TLS protocols for JSSE on a per port basis. The protocols disabled on a per port basis take precedence over those specified in watt.net.jsse.server.disabledProtocols. For more information about disabling protocols per port, see Disabling Protocols for JSSE per Port
You can disable TLS renegotiation for all HTTPS and FTPS ports that use JSSE by setting a Java system property. TLS renegotiation can lead to Denial of Service (DoS) attacks. For more information about disabling TLS renegotiation, see Disabling TLS Renegotiation.
Note:
If Integration Server is not using JSSE to secure inbound communications, and is instead using TLSv1.0, the values of the watt.net.ssl.server.handshake.minVersion and watt.net.ssl.server.handshake.maxVersion server configuration parameters determine the enabled protocols. Note that TLSv1.0 is not secure.
3. Specify allowed cipher suites for inbound communication. The watt.net.jsse.server.enabledCipherSuiteList specifies the cipher suites or inbound SSL connections when the port uses JSSE to secure connections.
Optionally, set watt.net.jsse.server.useCipherSuitesOrder=true to force the Integration Server acting as an SSL server to present its cipher suites in the order they appear in the watt.net.jsse.server.enabledCipherSuiteList. If needed, reorder the cipher suites list to ensure that the strong ones you need are listed first.
For more information about identifying enabled cipher suites, see Specifying Cipher Suites for Use with SSL.
Note:
If Integration Server is not using JSSE to secure inbound communications and is instead using TLSv1.0, the watt.net.ssl.server.cipherSuiteList and watt.net.ssl.client.strongcipheronly determine the allowed cipher suites.