Supported SSL/TLS Protocols
The Integration Server JVM and the list of disabled SSL/TLS protocols determine which protocols of SSL/TLS are supported for inbound and outbound connections with Integration Server.
Integration Server determines the enabled protocols by doing the following:
1. Obtaining the SSL/TLS protocols supported by the JVM.
For an inbound connection, Integration Server obtains the supported protocols when starting a port. For an outbound connection, Integration Server obtains the supported protocols at the time the outbound connection is created.
Different JVMs support different protocols. Consequently, the JVM used by your Integration Server affects the protocols available to an Integration Server when it is acting as an SSL client or an SSL server.
2. Applying the list of disabled protocols.
The watt.net.jsse.server.disabledProtocols server configuration parameter specifies the list of disabled protocols for inbound connections on ports. These apply when
Integration Server acts as an SSL server.
The watt.net.jsse.client.disabledProtocols server configuration parameter specifies the list of disabled protocols for outbound connections. These apply when
Integration Server acts as an SSL client.
In short, Integration Server automatically enables all protocols supported by the JVM except the ones disabled using the watt.net.jsse.*.disabledProtocols parameters.
As an example, consider an Integration Server 10.7 that uses the JDK available with Zulu Java 8.47 (build 1.8.0_261) with OpenJSSE. The accompanying JVM supports the following SSL/TLS protocols:
TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2Hello
The default value of the watt.net.jsse.server.disabledProtocols parameter disables the following protocols when Integration Server acts as the SSL server: SSLv2Hello,SSLv3,TLSv1
As a result, the enabled inbound protocols for the described Integration Server would be: TLSv1.3 TLSv1.2 TLSv1.1.
The default value of the watt.net.jsse.client.disabledProtocols parameter disables the following protocols when Integration Server acts as the SSL client: SSLv2Hello,SSLv3,TLSv1
As a result, the enabled outbound protocols for the described Integration Server would be: TLSv1.3 TLSv1.2 TLSv1.1.
To change the allowed SSL/TLS protocols for Integration Server acting as an SSL server and/or client, change the values of the watt.net.jsse.server.disabledProtocols and watt.net.jsse.client.disabledProtocols parameters, respectively.
Note:
You can disable protocols for JSSE on a per port basis. This applies to HTTPS and FTPS ports only. The protocols disabled on a per port basis take precedence over those specified in watt.net.jsse.server.disabledProtocols. For more information, see
Disabling Protocols for JSSE per Port.
When the 0006 Server SSL Interface log facility is set to log at the Info level (the default), Integration Server writes a server log message about supported protocols when a port is started or an outbound connection is established. For example, each time Integration Server starts a port, Integration Server writes a server log message about the protocols supported for that port. For example: [ISC.0006.0037I] (tid=344) SSL port 5543 is configured to support protocols {TLSv1.3, TLSv1.2, TLSv1.1}.
When establishing an outbound SSL connection, Integration Server logs a similar message about supported protocols. For example: [ISC.0006.0038I] (tid=92) Outbound SSL connection www.softwareag.com:443 is configured to support protocols {TLSv1.3, TLSv1.2, TLSv1.1}.