Transport Level Security (TLS) helps encrypting messages passed between two parties, ensuring protection from eavesdropping or modification by a third person.
Compatibility with Java versions
TLS is backwards compatible, which makes it connect to any version of java.
Both Java7 and Java8 support TLSv1, TLS 1.1 and TLSv1.2. However, protocols that JDK uses by default in Fiorano are:
- JDK 8 – TLSv1.2
- JDK 7 – TLSv1.0
Hence, the above TLS versions are assigned by default if the version is not specified.
Configuring TLS
The following Fiorano microservices cater SSL Security services in which TLS Protocol settings can be managed:
- WSStub
- WebServiceConsumer
- AS2Connector
- HTTPAdapters
- HttpStub
- SimpleHTTP
- RESTStub
- RESTConsumer
- FTPGet
- FTPPut
- POP3
- SMTP
- JMSIn
- JMSRequestor
- JMSReplier
- LdapAuthenticator
- LDAPLookup
TLS version may be explicitly set by providing the value in the SSL Settings present in any one of the two options below:
- Configuration Property Sheet (CPS) of the specific component.
- Runtime argument in System Properties.
In the Configuration Property Sheet
Enabling SSL in the CPS allows providing the TLS version as required. To configure TLS settings, perform the following actions:
- Double-click the microservice inserted in the Fiorano Orchestrator.
- Enable the Show Expert Properties option in the upper-left side of the CPS.
- Click the SSL Security ellipsis button to configure SSL Settings.
- In the SSL Configuration dialog box, select the Enable SSL property under SSL Settings and provide the Security Protocol property value.
In Runtime Arguments
Instead of overwriting SSL socket creation in the CPS, it can be configured in the system property (JVM) as well. It helps to apply the defined value to all the microservice instances across the event processes.
To force a microservice to use a different TLS protocol than the default one, specify the value for the –Dsecurity.protocol system property in the runtime arguments.
Example: To use TLSv1.1 for JDK 8 for which default protocol is TLSv1.2, provide the value -Dsecurity.protocol=TLSv1.1
To configure TLS settings with the protocol above, perform the following actions:
- Click the microservice inserted in the Fiorano Orchestrator.
In the Properties pane, select the Runtime Arguments tab and provide the value in the following format in the JVM_PARAMS box. -Dsecurity.protocol=TLSv1.1
- Press Enter to save the settings
Press No to save the JVM settings for the selected microservice.
Debugging the TLS settings
For event processes running in the Separate Process mode, the TLS protocol being used may be checked by providing the JVM Parameter value below in the microservice property:
–Djavax.net.debug=ssl
To debug SSL information, perform the following actions:
- Click the microservice inserted in the Fiorano Orchestrator.
- In the Properties pane, select the Runtime Arguments tab and provide the value below in the JVM_PARAMS field: –Djavax.net.debug=ssl
- Press Enter to save the settings
This JVM parameter prints SSL related information. To check the TLS protocol used, search for the string 'ClientHello' or 'ServerHello' in Logs. The SSL configuration follows the string as below:
- *** ClientHello, TLSv1.2
- *** ServerHello, TLSv1.2