Security for Web Service Providers

The following configuration steps allow you to enable or disable specific SSL protocols and cipher suites.

Determining which protocols and/or cipher suites are currently enabled/disabled

Logging is available (Server version 4.14 and above) indicating which protocols and cipher suites are currently enabled and disabled. The Clarify Server server.log file can be viewed by:

1) Viewing the server.log file within a Clarify Studio that is connected to the particular Clarify Server (or)

2) Directly viewing the Clarify Server server.log file by locating the file:

<Clarify Runtime Workspace Directory>\nodes\workspace\logs\server.log

(the log file can be viewed using om a text editor)

Each time the Clarify Server starts logging to this file occurs. To locate this logging, look for the timestamps near the most recent time that the Clarify Server was started (if the Clarify Server was just started you should be able to look near the most recent timestamps at the end of the file). Alternatively you can do a text search in the log file for the text:

“[com.extol.application.util.server.JettyLauncherImpl] Jetty Server dump:”

Or just simply:“Jetty Server dump:”

The logging will look like the following example:

Scroll down approximately 40-50 lines until you see a section that looks like the following:

Notice in this example above the title “Protocol Selections”, followed by “Enabled” and several protocol names, and “Disabled” followed by several protocol names. This indicates which SSL protocols are currently enabled and disabled in the Clarify Server.

Disabling specific protocols and/or cipher suites

Configuration settings will be edited in the SSLConfig.propertiesfile, which can be found here:

<Clarify Runtime Workspace Directory>\resources\config\server\misc

The following optional properties can be added:

ssl.webservice.provider.protocols.exclude –

This optional property allows for the specifying of a comma-separated list of protocols to exclude from use by SSL web service communications. Note: this list is subtractive; that is, whatever protocols are currently enabled in the Clarify Server, items specified on this list will simply be removed from the list of enabled protocols.

Here is an example of adding this property to exclude the SSLv3 and TLSv1 protocols from use:

ssl.webservice.provider.protocols.exclude = SSLv3, TLSv1

ssl.webservice.provider.ciphers.exclude –

This optional property allows for the specifying of a comma-separated list of cipher suites to exclude from use by SSL web service communications. Notethat this list is subtractive; that is, whatever cipher suites are currently enabled in the Clarify Server, items specified on this list will simply be removed from the list of enabled cipher suites.

Here is an example of adding this property to exclude the following cipher suites from use:ssl.webservice.provider.ciphers.exclude = SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA

BEST PRACTICE: The use of these two properties is the recommended best practice for most common scenarios of manipulating the enabled/disabled protocols and cipher suites.

Once you have completed modifications to the SSLConfig.properties file, save the changes and restart the Clarify Server for the configuration settings to take effect. Once the Clarify Server starts up, you should confirm that your changes have been applied. Follow the process outlined in the topic above: “Determining which protocols and/or cipher suites are currently enabled/disabled

Advanced settings - Specifying exhaustively the only protocols and cipher suites to enable

In addition to the two properties to exclude protocols and cipher suites from use, there are two advanced property settings that allow for the configuration of only the specific protocols and cipher suites that are to be enabled. Note that these settings differ in behavior from the two “*.exclude” properties explained above: while the “*.exclude” properties behave in a subtractive manner, the two “*.include” properties explained in this section behave in an exhaustive manner; that is, ONLY the protocols / cipher suites listed in these properties will be enabled for use.

The file in which the configuration settings need to be made is:

<Clarify Runtime Workspace Directory>\resources\config\server\misc\SSLConfig.properties

The following optional properties can be added:

ssl.webservice.provider.protocols.include –

This optional property allows for the specifying of a comma-separated, exhaustive list of protocols to include for use by SSL web service communications. Note well that this list is exhaustive; that is, ONLY the protocols that are specified in this list will be enabled for use in the Clarify Server; all other protocols will be disabled.

An example of adding this property to ONLY use TLSv1.1 and TLSv1.2 protocols would be as follows:

ssl.webservice.provider.protocols.exclude = TLSv1.1, TLSv1.2

All other protocols aside from the two specified in this property would be disabled.

ssl.webservice.provider.ciphers.include –

This optional property allows for the specifying of a comma-separated, exhaustive list of cipher suites to include for use by SSL web service communications. Note well that this list is exhaustive; that is, ONLY the cipher suites that are specified in this list will be enabled for use in the Clarify Server; all other cipher suites will be disabled.

An example of adding this property to ONLY use and protocols would be as follows:

ssl.webservice.provider.ciphers.include = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256

All other cipher suites aside from those listed in this property would be disabled.