Securing TLS/SSL settings have the following three aspects:
Protocol: SSL v2, SSL v3, and TLS1.0 contain known vulnerabilities. Starting with JDK 8u31, SSL v3 has been deactivated and is not available by default. If SSLv3 is required, you can reactivate the protocol at the JRE level. For more information, see The SunJSSE Provider.
Recommendation is to keep only TLS1.1 and TLS1.2.
Make these changes in Access Gateway Advanced Options and in Tomcat configuration of Administration Console and Identity Server.
Encryption: In the encryption algorithms, you need to look at two aspects:
Key Exchange Algorithm: In these algorithms, DH is vulnerable. Ensure that cipher suites containing DH are not part of your configuration. Recommended algorithms include RSA, DHE, or ECDHE.
Bulk Encryption Algorithm: In these algorithms, cipher suites that contain NULL, DES, 3DES, and RC4 encryptions are vulnerable. Ensure that these ciphers are not part of your configurations. Enabling cypher suites only with AES is recommended.
Make these changes in Access Gateway Advanced Options and in Tomcat configuration of Administration Console and Identity Server.
Message Authentication Code (MAC) Algorithm: In these algorithms, MD5 and SHA1 are vulnerable. Ensure that cipher suites containing MD5 or SHA1 are not part of your configurations. Enabling cypher suites only with SHA 256 or higher is the secure option.
Make these changes in Access Gateway Advanced Options and in Tomcat configuration of Administration Console and Identity Server.
NOTE:Security strengthening measures impact performance. Therefore, select the ciphers optimally based on your security and performance requirements.
Security strengthening measures can impact performance. Therefore, select the ciphers optimally based on your security and performance requirements. For example, DHE and ECDHE ciphers are more secure, but they need more computation and therefore impacts performance. Between DHE and ECDHE, ECDHE reduces some computational cost comparatively and in turn it is better than DHE ciphers in terms of performance.
This section discusses the following topics: