This section provides reference information for the Cloud Bridge Agent Transport Layer Security (TLS) policy. TLS is the successor to Secure Sockets Layer (SSL).
Java ships with a security policy codified in the java.security policy file. It is typically located in the conf/security folder relative to $JAVA_HOME. Cloud Bridge containers are based upon the CAFapi Java 11 image. The CAFapi Java 11 container image disables weak TLS cipher suites in the disableWeakTlsAlgorithms.patch patch file. This is an excellent, if strict, security posture and meets the OpenText security requirements. However, some customers have had difficulty connecting with other resources on their respective networks. So, we have developed and tested a relaxed or "intermediate" security policy. This policy restores some of the ciphers disabled by the CAFapi team and further introduces key length limitations. The patch in its entirety appears below, but the following sections provide additional explanation.
This section uses the following terms:
RSA (Rivest Shamir Adleman)
ECC (Elliptic Curve Cryptography)
Symmetric Cryptography (for example, AES)
Asymmetric Cryptography (Public/Private Key pair)
DH & ECDH (Diffie-Hellman & Elliptic-Curve Diffie-Hellman)
Hash Function (for example, SHA1, SHA256, SHA512)
CA (Certificate Authority)
Host Certificate (Certificate used for a web server)
Ideally, we would like to restrict communication to TLS 1.3. However, we must also make it possible to use the TLS 1.2 protocol safely, which causes us to exclude cipher suites that are available but should not be used.
Remove the TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 cipher from the list.
Increase RSA key size: “RSA keySize < 2048”
RSA less than 2048-bit
Diffie-Hellman less than 1024-bit
Elliptic Curve less than 224-bit
The following algorithms are disallowed and will not successfully negotiate the "handshake" process:
Camellia 128-bit with Cipher Block Chaining (CBC)
AES 256-bit with CBC
AES 128-bit with CBC
TLS DH DSS with AES 256-bit GCM SHA384 (under translation...)
You can achieve “intermediate” level security by disabling the following suites and enforcing acceptable key sizes:
--- java.security 2021-10-05 06:34:16.000000000 -0500
+++ java.security.intermediate 2022-02-15 14:22:30.878689700 -0600
@@ -753,25 +753,20 @@
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
- DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+ RSA keySize < 2048, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
CAMELLIA_128_CBC, AES_256_CBC, AES_128_CBC, \
DES40_CBC, RC4_40, CAMELLIA_256_CBC, DES_CBC, \
SEED_CBC, RC4_56, RC4_128, IDEA_CBC, RC2_CBC_40, \
TLS_DH_DSS_WITH_AES_128_GCM_SHA256, \
- TLS_DH_DSS_WITH_AES_256_GCM_SHA384, \
- TLS_DH_RSA_WITH_AES_128_GCM_SHA256, \
- TLS_DH_RSA_WITH_AES_256_GCM_SHA384, \
+ TLS_DH_DSS_WITH_AES_256_GCM_SHA384, \
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, \
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, \
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, \
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, \
- TLS_RSA_WITH_AES_256_GCM_SHA384, \
- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, \
- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, \
+ TLS_RSA_WITH_AES_256_GCM_SHA384, \
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, \
TLS_RSA_WITH_AES_128_GCM_SHA256, \
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, \
- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, \
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, \
TLS_EMPTY_RENEGOTIATION_INFO_SCSV, \
include jdk.disabled.namedCurves
For more information about configuring secure communication, see the following resources: