Enforcing the use of a security protocol or set of ciphers
For security reasons, ensure that all SSL connections to and from the HCL DevOps Deploy (Deploy) server uses the TLSv1.2 protocol. To configure SSL globally, follow these instructions under jdk.tls.disabledAlgorithms here.
The Deploy server uses the following communication protocols that rely on SSL at the transport level:
- HTTPS for displaying the user interface
- LDAP to connect to LDAP and Active Directory servers
- JDBC to connect to the database containing the schema of the Deploy server application
The following sections explain how to enforce the usage of TLSv1.2.
Environment
Enforcing TLSv1.2 is possible if the Deploy server, relay, and agent are running a JVM version that supports this protocol. For more information on such JVM versions, see Oracle JRE and JDK Cryptographic Roadmap. Before you enforce TLSv1.2 as the only supported protocol in Deploy, make sure that the external tools like LDAP servers, database servers, and middleware that the plug-ins deploy to, also support TLSv1.2 or else the connections will fail.
Deploy server: HTTPS protocol
<Connector port="${install.server.web.https.port}"
address="${install.server.web.ip}"
server="SERVER"
maxThreads="150"
enableLookups="false"
acceptCount="100"
debug="0"
connectionTimeout="20000"
disableUploadTimeout="true"
compression="1024"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,text/css,text/plain,application/json"
algorithm="${install.server.ssl.algorithm}"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
URIEncoding="UTF-8"
ciphers="${install.server.ssl.enabledCiphers}"
sslEnabledProtocols="${install.server.ssl.enabledProtocols}"
keystoreFile="${tomcat.keystore.file}"
keyAlias="${tomcat.key.alias}"
keystorePass="${tomcat.keystore.password}" />
To enforce TLSv1.2, add or modify the
install.server.ssl.enabledProtocols=TLSv1.2 property in the
devops-deploy/server/conf/server/installed.properties file. Note that
this property might be missing, or it might be present and have a different value, including
an empty value. The property is referred to as:
${install.server.ssl.enabledProtocols} in the
server.xml and installed.properties files.
Deploy Server: LDAP integration
ldaps:// protocol
that uses port 636 but default to connect through SSL or TLS. install.server.ssl.enabledProtocols parameter changes the
SSLContextParameters which might affect the LDAP connection that is opened. Deploy Server: JDBC connection to the database server
JDBC is used to connect Deploy to the backend database.
DB2
Refer to the DB2 documentation - Configuring SSL support in a DB2 instance for detailed information. Configure the DB2 instance according to the instructions, and test after you compete the configuration.
PostgresConnection string: connectionString=jdbc:postgresql://dbhost/dummy?ssl=true jdbcDriver=org.postgresql.Driver jdbcJar=C:\devops-deploy\agent\postgresql-42.1.4.jar.
Import the database certificate to the Deploy Agent Java keystore. The latest available plug-in is version 13, see SQL JDBC plug-in for Deploy.
Microsoft SQL Server- Ensure that your Microsoft SQL server supports TLSv1.2 and have the right FixLevel and KB 3052404 installed on it.
- Enable TLSv1.2.
- Depending on the Microsoft SQL Server JDBC type 4 driver version, you can pass in the JDBC a connection string that enforces TLSv1.2, that is sslProtocol=TLSv1.2 protocol.
- You can enforce TLSv1.2 at the JRE level that runs the Deploy server.
Enabling TLSv1.2 has the following results:
- Outgoing connections to the LDAP database all are made with TLSv1.2.
- Incoming connections from Deploy agents, Deploy agent relays, and WebUI require TLS v1.2.
These results can be undesirable if one of the involved components does not support TLSv1.2. You must make sure that the JDBC drivers support TLSv1.2. To ensure this support, change the jdk.tls.disabledAlgorithms line in the jre/lib/security/java.security file to jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1. You can also pass the devops-deploy/server/bin/set_env JAVA_OPTS string through a java.security file.
Note: You cannot disable the SSLv2Hello, because it is used as the initial handshake from the Deploy agents with the Deploy server. For the JDBC connection string, refer to the SQL Server 2017 documentation - Understanding SSL Support. The encrypt=true property uses TLS/SSL.
Do not blanket trustServerCertificate=false. Every SSL certificate from Microsoft SQL server uses the default JRE's trust store jre/lib/security/cacerts. Use hostNameInCertificate=yes to verify that DNS and SubjectAltName in the SSL certificate are the same. For trustStore=/my/own/trustStore.jks, do not use the default JRE's trust store jre/lib/security/cacert, use a separate one. The trustStorePassword=changeit is the password for the trust store.
- Ensure that you have a JDBC driver version higher than 12.2.0.1.
- In the file devops-deploy/server/bin/set_env.sh append the following -D argument -Doracle.net.ssl_version='1.2' in the value you currently set for JAVA_OPTS variable.
- Restart the Deploy server.
Deploy Agent
To add TLSv1.2 protocol to Deploy agents using
HTTPS communication with the Deploy server, add
-Djdk.tls.client.protocols=TLSv1.2 line to the
devops-deploy/agent/bin/worker-args.conf file.
For a step running on Deploy agent, add
-Djdk.tls.client.protocols=TLSv1.2 line to the
devops-deploy/agent/conf/plugin-javaopts.conf file.