This section provides reference information for the Cloud Bridge Agent Transport Layer Security (TLS) policy. TLS is the successor to Secure Sockets Layer (SSL).
Java ships with a security policy codified in the java.security policy file. It is typically located in the conf/security folder relative to $JAVA_HOME. Cloud Bridge containers are based upon the CAFapi Java 11 image. The CAFapi Java 11 container image disables weak TLS cipher suites in the disableWeakTlsAlgorithms.patch patch file. This is an excellent, if strict, security posture and meets the OpenText security requirements.
This section uses the following terms:
RSA (Rivest Shamir Adleman)
ECC (Elliptic Curve Cryptography)
Symmetric Cryptography (for example, AES)
Asymmetric Cryptography (Public/Private Key pair)
DH & ECDH (Diffie-Hellman & Elliptic-Curve Diffie-Hellman)
Hash Function (for example, SHA1, SHA256, SHA512)
CA (Certificate Authority)
Host Certificate (Certificate used for a web server)
Ideally, we would like to restrict communication to TLS 1.3. However, we must also make it possible to use the TLS 1.2 protocol safely, which causes us to exclude cipher suites that are available but should not be used.
Remove the TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 cipher from the list.
Increase RSA key size: “RSA keySize < 2048”
RSA less than 2048-bit
Diffie-Hellman less than 2048-bit
Elliptic Curve less than 224-bit
The following algorithms are disallowed and will not successfully negotiate the "handshake" process:
Camellia 128-bit with Cipher Block Chaining (CBC)
AES 256-bit with CBC
AES 128-bit with CBC
TLS DH DSS with AES 256-bit GCM SHA384 (under translation...)
The following algorithms are disallowed:
TLSv1.1 TLSv1 SSLv3 SSLv2 DHE_DSS RSA_EXPORT DHE_DSS_EXPORT DHE_RSA_EXPORT DH_DSS_EXPORT DH_RSA_EXPORT DH_anon ECDH_anon DH_RSA DH_DSS ECDH AES_256_CBC AES_128_CBC 3DES_EDE_CBC DES_CBC RC4_40 RC4_128 DES40_CBC RC2 HmacMD5 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
For more information about configuring secure communication, see the following resources: