Securing TLS/SSL settings have the following three aspects:
Protocol: SSL v2, SSL v3, and TLS1.0 contain known vulnerabilities. Starting with JDK 8u31, SSL v3 has been deactivated and is not available by default. If SSLv3 is required, you can reactivate the protocol at the JRE level. For more information, see The SunJSSE Provider.
By default, Access Manager 4.3 is configured with only TLS1.1 and TLS1.2.
Encryption: In the encryption algorithms, you need to look at two aspects:
Key Exchange Algorithm: In these algorithms, DH is vulnerable. By default, Access Manager 4.3 includes only RSA, DHE, or ECDHE.
Bulk Encryption Algorithm: In these algorithms, cipher suites that contain NULL, DES, 3DES, and RC4 encryptions are vulnerable. By default, Access Manager 4.3 supports cypher suites only with AES.
Message Authentication Code (MAC) Algorithm: In these algorithms, MD5 and SHA1 are vulnerable. By default, Access Manager 4.3 supports cypher suites only with SHA 256 or higher.
In Access Manager 4.3, security is strengthened. These security measures can impact performance. For example, DHE and ECDHE ciphers are more secure, but they need more computation and therefore impacts performance. Between DHE and ECDHE, ECDHE reduces some computational cost comparatively and in turn it is better than DHE ciphers in terms of performance. You can configure the cipher optimally based on your security and performance requirements by referring to The Sun JSSE Provider.
If you want to restore the previous security settings, see Section 12.0, Restoring Previous Security Level After Upgrading Access Manager.The
This section discusses the following topics: