This page describes the security protocol used by an on-premises Controller, and how you can modify it.
The Controller secures connections using TLSv1.2 by default. However, you can change the security protocols used by the Controller if needed. For instance, you need to change the protocol if you are using agents that don't support TLSv1.2. These agents include:
If upgrading the agents or .NET framework is not possible, you will need to enable TLSv1 and SSL3 on the Controller using the
asadmin command-line utility. To use the utility, you will need to supply the password configured for the root user for the Controller.
These changes require a restart of the Controller application server, which results in a brief service downtime. You may wish to apply these change when the downtime will have the least impact.
To maintain a secure environment, APIs that are downstream of the Controller should also use TLS. If SSL3 is required, you can enable it. See the Oracle JDK 8 documentation.
Open a browser and navigate to the Enterprise Console GUI:
9191 is the default port.
Navigate to AppServer Configurations by choosing the platform, Configurations, Controller Settings, and Appserver Configurations.
In the Domain Protocols box on the JVM Options tab, edit the
configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls-enabled=false parameter to true.
|You do not need to restart the Controller application server since the configuration change job automatically does so for you.|
By default, the Controller's embedded Java runtime only supports up to 128-bit encryption key lengths for secure connections. You can, however, enable up to 256-bit encryption keys so the Controller can establish connections using the stronger ciphers.
To enable stronger keys in encryption keys in the Controller, follow the instructions for the Controller version you are running.
After restarting the Controller app server, the following cipher suites become available: