-
Title
For customers who are in need of TLSv1.1 and TLSv1.2 support in MCU 2.5.1 the following steps are required: -
Description
MCU 2.5.1 uses Jetty as its backend HTTP web server. Jetty relies on JAVA for its security protocols such as TLS and its cipher suites. In order to add support for the TLS security protocols, TLSv1.1 and TLSv1.2 customers will need to update their version of the Java JRE that MCU uses to a version that supports the needed TLS security protocols.
Oracle Java JRE 1.6.0_111 added support for TLSv1.1 and Oracle Java JRE 1.6.0._121 added support for TLSv1.2 (Because of a bug found in OpenJDK 1.6.0.34 and higher that affects MCU 2.5.1 OpenJDK will not be able to be used)
-
Resolution
RESOLUTION 1:
Upgrade to MCU 2.5.2 available on the Support Portal.
WORKAROUND 1:
NOTE: The ability to download Oracle JRE 1.6.0.121. Oracles JRE 1.6.0.121+ is downloaded, but requires an active oracle support agreement in order to do so
Java 1.8 will not work with MCU 2.5.1 version.
MCU 2.5.1 uses Jetty as its backend HTTP web server. Jetty relies on JAVA for its security protocols such as TLS and its cipher suites. In order to add support for the TLS security protocols, TLSv1.1 and TLSv1.2 customers will need to update their version of the Java JRE that MCU uses to a version that supports the needed TLS security protocols.Oracle Java JRE 1.6.0_111 added support for TLSv1.1 and Oracle Java JRE 1.6.0._121 added support for TLSv1.2 (Because of a bug found in OpenJDK 1.6.0.34 and higher that affects MCU 2.5.1 OpenJDK will not be able to be used)
Install the latest Oracle JRE 6
Stop the MCU service
Configure MCU to use the newer JRE 6
LINUX:
Update the JRE path contained in the file /opt/quest/mcu/.install4j/inst_jre.cfg to point to the location of the Oracle Java JRE 1.6.0.121 or higher.
EXAMPLE:
Change /usr/local/java/jre1.6.0_45 to /usr/local/java/jre1.6.0_161
WINDOWS:WINDOWS:
Step 1 – Rename the jre folder to something else. JreOld would suffice, the MCU Service will have to be stopped first.
C:\Program Files (x86)\Quest Software\Management Console for Unix\jre
Step 2 – Define the EXE4J_JAVA_HOME variable in envirment variables. Please see the below screenshot.
Update jetty.xml to disable protocols that are not wanted like TLSv1, SSLv3, etc… by only enabling the protocols that are wanted.
You can enable protocols by setting the IncludeProtocols under the sslContextFactory in the MCU jetty.xml file.
This file can be found at:
WINDOWS:
C:\Program Files (x86)\Quest Software\Management Console for Unix\etc\jetty.xml
LINUX:
/opt/quest/mcu# vi etc/jetty.xml
EXAMPLE:
When using the IncludeProtocols set only protocols in the IncludeProcotols list will be considered by Jetty.
Validate that the new JRE is being used and that the desired Protocols are in use by running MCU from a command line.
WINDOWS:
Open cmd.exe and run
$ C:\Program Files (x86)\Quest Software\Management Console for Unix\run_server.exe
LINUX:
As root or with root privileges
Open terminal and run
$ /opt/quest/mcu/run_server.sh
When MCU server has finished loading look for a line similar to:
oejhs.SslContextFactory:Enabled Protocols [TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
This describes that Protocols TSLv1.1 and TLSv1.2 have been enabled out of SSLv2Hello, SSLv3, TLSv1, TSLv1.1, TLSv1.2 which are supported.
A newer license file will be needed in order for MCU to work with the updated JRE, to get a new license please contact support.
When attempting to access MCU with an updated JRE 6, a HTTP ERROR: 503 will be displayed.
The MCU logs will display the message com.dstc.security.util.licensing.InvalidLicense: Error verifying license: Invalid encoding for signature.
In order to fix this a new license file will be needed.
You can download a newer jetty.xml with only TLSv1.1 & TLSv1.2 protocol enabled, with a list of recommended strong cipher suites included by clicking on the jetty.xml link here. -
Attachments