Configuring Integration Server as an SSL Server
In addition to the general SSL configuration tasks identified in
Preparing to Configure SSL in
Integration Server , to configure
Integration Server as an SSL server, you must also create ports, specify enabled SSL/TLS protocols, and set the allowed cipher suites.
To configure Integration Server as an SSL server, complete the following the SSL-server specific tasks:
1. Add an HTTPS or FTPS port. If an HTPS and FTPS ports are not yet defined, you must create one. This is required for one-way and two-way SSL authentication.
If you want to allow only secure connections to the server:
Ensure that the primary port uses an HTTPS port.
Delete all other non-HTTPS ports.
Add additional HTTPS or FTPS ports as required.
2. Specify SSL/TLS protocols for inbound communication. To specify the allowed SSL/TLS protocols for communication with an Integration Server acting as an SSL server, you actually identify which SSL/TLS protocols are explicitly disabled in the watt.net.jsse.server.disabledProtocols server configuration parameter.
For more information regarding how
Integration Server uses the disabled list of SSL/TLS protocols to determine which SSL/TLS protocols are allowed, see
Supported SSL/TLS Protocols.
You can disable SSL/TLS protocols for JSSE on a per port basis. The protocols disabled on a per port basis take precedence over those specified in watt.net.jsse.server.disabledProtocols. For more information about disabling protocols per port, see
Disabling Protocols for JSSE per PortYou can disable TLS renegotiation for all HTTPS and FTPS ports that use JSSE by setting a Java system property. TLS renegotiation can lead to Denial of Service (DoS) attacks. For more information about disabling TLS renegotiation, see
Disabling TLS Renegotiation.
Note:
If Integration Server is not using JSSE to secure inbound communications, and is instead using TLSv1.0, the values of the watt.net.ssl.server.handshake.minVersion and watt.net.ssl.server.handshake.maxVersion server configuration parameters determine the enabled protocols. Note that TLSv1.0 is not secure.
3. Specify allowed cipher suites for inbound communication.The watt.net.jsse.server.enabledCipherSuiteList specifies the cipher suites or inbound SSL connections when the port uses JSSE to secure connections.
Optionally, set watt.net.jsse.server.useCipherSuitesOrder=true to force the Integration Server acting as an SSL server to present it's cipher suites in the order they appear in the watt.net.jsse.server.enabledCipherSuiteList. If needed, reorder the cipher suites list to ensure that the strong ones you need are listed first.
Note:
If Integration Server is not using JSSE to secure inbound communications and is instead using TLSv1.0, the watt.net.ssl.server.cipherSuiteList and watt.net.ssl.client.strongcipheronly determine the allowed cipher suites.