Try OpenEdge Now
skip to main content
Core Business Services - Security and Auditing
Security : Security in OpenEdge : SSL Security : Changing the cryptographic protocol, ciphers, and certificates : Changing the default protocols and ciphers : Changing the default protocols and ciphers for Progress OpenEdge servers
 
Changing the default protocols and ciphers for Progress OpenEdge servers
You can set the protocol and the cipher for the following server components:
*AppServer Broker: In the [Environment.<appserver_broker>] section of the ubroker.properties file, you can set the following environment variables:
Property
Description
PSC_SSLSERVER_PROTOCOLS
Accepts the cryptographic protocol that is set for the AppServer instance
PSC_SSLSERVER_CIPHERS
Accepts the valid cryptographic cipher that is set for the AppServer instance. The default value is RC4-SHA:RC4-MD5.
Once you make a change in the ubroker.properties file, you must restart the AppServer broker for the new values to take effect.
Note: Ensure that when you set PSC_SSLCLIENT_CIPHERS in the [AppServer.<broker_name>] section of the ubroker.properties file, you must also set PSC_SSLSERVER_CIPHERS.
*WebSpeed Broker: In the [Environment.<webspeed_broker>] section of the ubroker.properties file, you can set the following environment variables:
Property
Description
PSC_SSLSERVER_PROTOCOLS
Accepts the cryptographic protocol that is set for the Web server instance
PSC_SSLSERVER_CIPHERS
Accepts the valid cryptographic cipher that is set for the Web server instance. The default value is RC4-SHA:RC4-MD5.
*Once you make a change in the ubroker.properties file, you must restart the WebSpeed broker for the new values to take effect.
*OpenEdge Database Server: In the startup script of the server application, export the following environment variables.
Property
Description
PSC_SSLSERVER_PROTOCOLS
Accepts the cryptographic protocol that is set for the database server instance
PSC_SSLSERVER_CIPHERS
Accepts the valid cryptographic cipher that is set for the database server instance. The default value is RC4-SHA:RC4-MD5.
*Once you export the variables, invoke a database server executable and start a session for the client application to use the set protocols and ciphers.
*OpenEdge RDBMS: In the ubroker.properties file (available at <OpenEdge-install-directory>/properties), you can set the following environment variables:
Property
Description
PSC_SSLSERVER_PROTOCOLS
Accepts the cryptographic protocol that is set for the instance
PSC_SSLSERVER_CIPHERS
Accepts the valid cryptographic cipher that is set for the instance. The default value is RC4-SHA:RC4-MD5.
*MS SQL Server: In the ubroker.properties file (available at <OpenEdge-install-directory>/properties), you can set the following environment variables:
Property
Description
PSC_SSLSERVER_PROTOCOLS
Accepts the cryptographic protocol that is set for the instance
PSC_SSLSERVER_CIPHERS
Accepts the valid cryptographic cipher that is set for the instance. The default value is RC4-SHA:RC4-MD5.
*AppServer Agent: In the [Environment.<appserver_broker>] section of the ubroker.properties file (available at <OpenEdge-install-directory>/properties), you can set the following environment variables:
Property
Description
PSC_SSLSERVER_PROTOCOLS
Accepts the cryptographic protocol that is set for the agent
PSC_SSLSERVER_CIPHERS
Accepts the valid cryptographic cipher that is set for the agent. The default value is RC4-SHA:RC4-MD5.
*WebSpeed Agent: In the [Environment.<webspeed_broker>] section of the ubroker.properties file (available at <OpenEdge-install-directory>/properties), you can set the following environment variables:
Property
Description
PSC_SSLSERVER_PROTOCOLS
Accepts the cryptographic protocol that is set for the agent
PSC_SSLSERVER_CIPHERS
Accepts the valid cryptographic cipher that is set for the agent. The default value is RC4-SHA:RC4-MD5.
*OpenEdge Business Process Management:
*EJB server: In the server.xml file (available at <OEBPM_HOME>/jboss/server/ejbServer/deploy/jbossweb.sar), you can set the following properties:
Property
Description
protocol
If you want to change the cryptographic protocol for secure communication with an AppServer, set this property to TLS.
sslProtocol
Accepts the cryptographic protocol that is set for connecting to the AppServer
*The following code shows how to set the properties.
<Server>
...
<!-- SSL/TLS Connector configuration using the admin devl guide keystore
<Connector protocol="TLS"
sslProtocol="TLSv1,TLSv1.1,TLSv1.2"
... />
-->
...
*Portal server: In the server.xml file (available at <OEBPM_HOME>/jboss/server/portalServer/deploy/jbossweb.sar), you can set the following properties:
Property
Description
protocol
If you want to change the cryptographic protocol for secure communication with an AppServer, set this property to TLS.
sslProtocol
Accepts the cryptographic protocol that is set for connecting to the AppServer
*The following code shows how to set the properties.
<Server>
...
<!-- SSL/TLS Connector configuration using the admin devl guide keystore
<Connector protocol="TLS"
sslProtocol="TLSv1,TLSv1.1,TLSv1.2"
... />
-->
...
*OpenEdge Management and OpenEdge Explorer:
*WebServer: In the fathom.properties file (available at $DLC/properties), you can set the following environment variables:
Property
Description
HttpsEnabled
Enables you to change the cryptographic protocols and ciphers for secure communication with a WebServer. If you enable SSL for the WebServer in OpenEdge Management and OpenEdge Explorer, this property is set to true.
SSLEnabledProtocols
If you want to change the default cryptographic protocol for the WebServer, enter this property in the fathom.properties file. The property accepts a comma-separated list of valid cryptographic protocols that are set for secure communication.
SSLEnabledCipherSuites
If you want to change the default cryptographic ciphers for the WebServer, enter this property in the fathom.properties file. The property accepts a comma-separated list of valid cryptographic ciphers that are set for secure communication.
Additionally, in the fathom.init.params file (available at $DLC), you can set the the property ssl.KeyManagerFactory.algorithm=IbmX509.
You can set the ssl.KeyManagerFactory.algorithm=IbmX509 property only on AIX, AIX (64-bit), and LinuxPPC systems.
In OpenEdge 11.3.3, OpenEdge Management is configured to use Jetty Web server version 7.6.3. Even if you successfully enable secure communications using the Webserver, you may see the following warning message about the secure connection closing occuring repeatedly in the AdminServer log file:
...
Invoking E-mail action test. Action: Default_Clear_Action, From: admin@domain.com, To: user@domain.com (9614)
2015-06-19 18:36:27.088:WARN:oeji.nio:javax.net.ssl.SSLException:
Inbound closed before receiving peer's close_notify: possible truncation attack?
Invoking E-mail action test. Action: Default_Clear_Action, From: admin@domain.com, To: user@domain.com (9614)
2015-06-19 18:36:27.518:WARN:oeji.nio:javax.net.ssl.SSLException:
Inbound closed before receiving peer's close_notify: possible truncation attack?
...
This behavior is expected and these messages can be ignored.
*Email alerts configuration: In the fathom.properties file (available at $DLC/properties), you can set the following environment variables:
Property
Description
SmtpSSLEnabledProtocols
If you want to change the default cryptographic protocol for the email alerts configuration, enter this property in the fathom.properties file. The property accepts a comma-separated list of valid cryptographic protocols that are set for secure communication.
SmtpSSLEnabledCipherSuites
If you want to change the default cryptographic ciphers for the email alerts configuration, enter this property in the fathom.properties file. The property accepts a comma-separated list of valid cryptographic ciphers that are set for secure communication.
*WSDL: To set the protocol and cipher for WSDL, you can set the following parameters in the connection-parameters argument of the client’s CONNECT() method:
Property
Description
-sslWSDLProtocols
Accepts a comma-separated list of cryptographic protocols that are set for the web server
-sslWSDLCiphers
Accepts a comma-separated list of valid cryptographic ciphers that are set for the web server.
*SOAP : To set the protocol and cipher for SOAP, you can set the following parameters in the connection-parameters argument of the client’s CONNECT() method:
Property
Description
-sslSOAPProtocols
Accepts a comma-separated list of cryptographic protocols that are set for the web server
-sslSOAPCiphers
Accepts a comma-separated list of valid cryptographic ciphers that are set for the web server.
Note: Both the AppServer Broker and Agent inherit environment variables (PSC_SSLCLIENT_PROTOCOLS, PSC_SSLCLIENT_CIPHERS, PSC_SSLSERVER_PROTOCOLS, and PSC_SSLSERVER_CIPHERS) both from the AdminServer process and the [Environment.<broker_name>] sections of the ubroker.properties file. The variables in the [Environment.<broker_name>] sections of the ubroker.properties file supercede the variables set by the AdminServer process. If you set these variables in the ubroker.properties file and then use the shell to manually start the AdminServer process, the brokers and agents inherit the variables set in the ubroker.properties file.