Self-Solve Knowledge Search

Minimize Maximize
AGM SSL configuration best practice
Title :
AGM SSL configuration best practice
Document ID :
KM02061609
Product - Version:
agile manager 2.0 2.1 2.20 2.30 2.40 ;
OS :
Linux
Updated :
Thu Jan 21 16:19:26 GMT 2016
Summary :
This is a best practice article about how to configure AGM SSL

This article provides a best practice for configuring the AGM SSL properly. Proper SSL configuration disables weak protocol(SSLv3) and enables only strong ciphers and thus mitigates your AGM instance against:

1. Poodle SSL vulnerability.
2. Bar Mitzvah vulnerability.
3. LogJam vulnerability.

Solution

To configure the SSL settings correctly,  please add the highlighted parts to the definition of the Jetty SSL connector:

<Configure id="Server" class="org.eclipse.jetty.server.Server">

  <New id="sslContextFactory" class="org.eclipse.jetty.http.ssl.SslContextFactory">
     <Set name="ExcludeProtocols">
         <Array type="java.lang.String">            
             <Item>SSLv3</Item>
         </Array>
     </Set>
  </New>

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
        <Arg><Ref id="sslContextFactory" /></Arg>
        <Set name="IncludeCipherSuites">
          <Array type="java.lang.String">
             <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
             <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
             <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
             <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>   
          </Array>       
        </Set>
      </New>
    </Arg>
  </Call>

</Configure>