Skip to Content

Configuring TLS protocols and Cipher suites for HTTPS

 

The MVMM  Application Service Web secure port uses HTTPS. MVMM is configured to support only TLSv1.2 by default. This ensures compatibility with modern web browsers as well as toleration of earlier versions of MVMM  (e.g. for agents from earlier versions).

When changing this configuration, refer to the agent tier requirements documented below.

 

Related topics

Working-with-the-subscriber-services

Defining-configuration-options-in-services-cfg

App_Service

Configuring the TLS protocol for HTTPS

To configure the HTTPS TLS protocol offered by the MVMM Application Service, edit the sslContextFactory definition in jetty/qpas.xml (shown below). Make sure to backup the file before making changes.

The MVMM  Application Service must be restarted for changes to take effect.

<Set name="IncludeProtocols">
       <Array type="String">
         <!-- =========================================================== -->
         <!-- TLSv1.2 is required for internal services connections       -->
         <!-- TLSv1.2 is required for 9.1 or earlier agent connects       -->
         <!-- TLSv1.2 and TLSv1.3 are supported for 9.2 or later agents   -->
         <!-- TLSv1.2 and TLSv1.3 are supported for browsers              -->
         <!-- =========================================================== -->
         <Item>TLSv1.3</Item>
         <Item>TLSv1.2</Item>
       </Array>
     </Set>

Either or both of IncludeProtocols or ExcludeProtocols can be used, as required.

The full list of supported TLS protocols is SSL, SSLv2, SSLv3, TLS, TLSv1, TLSv1,1, TLSv1.2, TLSv1.3. We recommend you use TLSv1.2 and TLSv1.3.

Configuring the TLS Cipher Suites for HTTPS

To configure the HTTPS TLS cipher suites offered by the MVMM Application Service edit the sslContextFactory definition in jetty/qpas.xml (shown below). Make sure to backup the file before making changes.

The MVMM  Application Service must be restarted for changes to take effect.

<Set name="IncludeCipherSuites">
       <Array type="String">
          ...
       </Array>
     </Set>  

Either or both of IncludeCipherSuites or ExcludeCipherSuites may be used, as required.

The full list of supported TLS cipher suites is documented here: JSSE Cipher Suite Names

Agent Tier Requirements for HTTPS

The MVMM  Configuration Agent can use HTTP or HTTPS to access distribution packages or BTM deployment information, based on configuration. The default configuration uses HTTPS over TLSv1.3.

To change the default values, use agent preferences to configure the use of HTTP or HTTPS. For example, to use HTTPS:

% agentpref --set "BTMConfig Ext" ASSecure true

To change the defaults, use Java system properties to configure the TLS protocol used. Edit the MVMM  Configuration Agent bmmtm_agent/bin/wrapper.conf file, as show below.

The MVMM  Configuration Agent must be restarted for changes to take effect.

# Take care to keep the additional number contiguous
wrapper.java.additional.8=-Dcom.bmc.mmpa.client_protocols=TLSv1.3

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

MainView Middleware Monitor 9.2