Configuring the Allowed Protocols for JSSE per Port
This section describes how to configure the allowed protocols for JSSE on a per port basis. For more information about allowed protocols for JSSE, see watt.net.jsse.server.enabledProtocols.
To configure the allowed protocols for JSSE per port
1. Shut down Integration Server.
2. Open the following file in text editor:
Integration Server_directory /instances/instanceName/packages/packageName/listeners.cnf
where instanceName is the name of the Integration Server instance and packageName is the name of the package associated with the port.
3. In the listeners.cnf file, locate the record for the HTTPS and FTPS ports for which you want to specify the allowed protocols.
For example,
if you want to make changes to an HTTPS port 5333, the port record will start with the following:
<record name="HTTPSListener@5333" javaclass="com.wm.util.Values">
if you want to make changes to an FTPS port 4602, the port record will start with the following:
<record name="FTPSListener@4602" javaclass="com.wm.util.Values">
4. After the <value name="useJSSE">true</value> entry in the port record, add the following entry:
<value name="jsseEnabledProtocols">SSLprotocols</value>
where SSLprotocols is a comma-separated list of the SSL protocol versions that the port supports.
For example, to enable TLS 1.1 and TLS 1.2 versions for the port add the following:
<value name="jsseEnabledProtocols">SSLv2Hello,TLSv1.1,TLSv1.2</value>
Note:
To prevent a protocol downgrade during negotiation, set SSLprotocols to a single protocol version that is TLSv1 or higher.
5. Save your changes and close the text editor.
6. Restart Integration Server.
Note:
The jsseEnabledProtocols value specified for the port record in the listeners.cnf file overrides the value set by watt.net.jsse.server.enabledProtocols server configuration parameter.
When the logging facility 0006 Server SSL Interface is set to the Debug logging level, Integration Server writes messages about protocols used for inbound and outbound ports to the server log. At the Trace logging level, Integration Server writes messages about the enabled cipher suites. You can use these server log messages to confirm the enabled protocols for any JSSE port.