Supported SSL/TLS Protocols
The Integration Server JVM and the list of disabled SSL/TLS protocols determine which protocols of SSL/TLS are supported for inbound and outbound connections with Integration Server.
Integration Server determines the enabled protocols by doing the following:
1. Obtaining the SSL/TLS protocols supported by the JVM.
For an inbound connection, Integration Server obtains the supported protocols when starting a port. For an outbound connection, Integration Server obtains the supported protocols at the time the outbound connection is created.
Different JVMs support different protocols. Consequently, the JVM used by your Integration Server affects the protocols available to an Integration Server when it is acting as an SSL client or an SSL server.
Note:Integration Server registers the following file as an override to the java.security file in the JVM: /config/security/webm_override_java.security. Integration Server uses this file to override settings controlled through the java.security file. For example, the java.security file for Java 11 disables the TLSv1.1 and TLSv1 protocols. To ensure that users have the option of choosing whether to use these protocols, Integration Server overrides the disabled protocols list by applying webm_override_java.security when the JVM starts up. The server configuration parameters described below can be used to disable the TLSv1.1 and TLSv1 protocols.
2. Applying the list of disabled protocols.
The watt.net.jsse.server.disabledProtocols server configuration parameter specifies the list of disabled protocols for inbound connections on ports. These apply when
Integration Server acts as an SSL server.
The watt.net.jsse.client.disabledProtocols server configuration parameter specifies the list of disabled protocols for outbound connections. These apply when
Integration Server acts as an SSL client.
In short, Integration Server automatically enables all protocols supported by the JVM (except the protocols disabled by the java.security file that are not overridden by the webm_override_java.security. file) and the watt.net.jsse.server.disabledProtocols and/or watt.net.jsse.client.disabledProtocols parameters.
As an example, consider an Integration Server 10.11 that uses the JDK available with Azul Java 11. The accompanying JVM supports the following SSL/TLS protocols:
TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2Hello
The default value of the watt.net.jsse.server.disabledProtocols parameter disables the following protocols when Integration Server acts as the SSL server: SSLv2Hello,SSLv3,TLSv1,TLSv1.1
As a result, the enabled inbound protocols for the described Integration Server would be: TLSv1.3 TLSv1.2.
The default value of the watt.net.jsse.client.disabledProtocols parameter disables the following protocols when Integration Server acts as the SSL client: SSLv2Hello,SSLv3,TLSv1,TLSv1.1
As a result, the enabled outbound protocols for the described Integration Server would be: TLSv1.3 TLSv1.2.
To change the allowed SSL/TLS protocols for Integration Server acting as an SSL server and/or client, change the values of the watt.net.jsse.server.disabledProtocols and watt.net.jsse.client.disabledProtocols parameters, respectively.
Note:
You can disable protocols for JSSE on a per port basis. This applies to HTTPS and FTPS ports only. The protocols disabled on a per port basis take precedence over those specified in watt.net.jsse.server.disabledProtocols. For more information, see
Disabling Protocols for JSSE per Port.
When the 0006 Server SSL Interface log facility is set to log at the Debug level, Integration Server writes a server log message about supported protocols when a port is started or an outbound connection is established. For example, each time Integration Server starts a port, Integration Server writes a server log message about the protocols supported for that port. For example: [ISC.0006.0037D] (tid=344) SSL port 5543 is configured to support protocols {TLSv1.3, TLSv1.2}.
When establishing an outbound SSL connection, Integration Server logs a similar message about supported protocols. For example: [ISC.0006.0038D] (tid=92) Outbound SSL connection www.softwareag.com:443 is configured to support protocols {TLSv1.3, TLSv1.2}.