Hi,
how can I Configure my ALM Installation for perfect forward secrecy + TLS1.2.
I cant find anything in the documentation.
Cybersecurity
DevOps Cloud
IT Operations Cloud
If an answer to your question is correct, click on "Verify Answer" under the "More" button. The answer will now appear with a checkmark. Please be sure to always mark answers that resolve your issue as verified. Your fellow Community members will appreciate it!  Learn more
Hi,
how can I Configure my ALM Installation for perfect forward secrecy + TLS1.2.
I cant find anything in the documentation.
Hi Toni,
In the ALM installation guide is the basic TLS-configuration described.
For PFS you just need to reduce the allowed cipher suites to the following
Here's my sample Config from jetty-ssl.xml. Don't forget to
<Configure id="Server" class="org.eclipse.jetty.server.Server"> <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server"> <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="conf/alm-test.jks"/></Set> <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="mysecret"/></Set> <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="mysecret"/></Set> <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="conf/alm-test.jks"/></Set> <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="mysecret"/></Set> <Set name="EndpointIdentificationAlgorithm"></Set> <Set name="IncludeCipherSuites"> <Array type="String"> <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_CHACHA20_POLY1305_SHA256</Item> <Item>TLS_AES_256_GCM_SHA384</Item> </Array> </Set> <Set name="IncludeProtocols"> <Array type="java.lang.String"> <Item>TLSv1.2</Item> <Item>TLSv1.3</Item> </Array> </Set> <!-- =========================================================== --> <!-- Create a TLS specific HttpConfiguration based on the --> <!-- common HttpConfiguration defined in jetty.xml --> <!-- Add a SecureRequestCustomizer to extract certificate and --> <!-- session information --> <!-- =========================================================== --> <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Arg><Ref refid="httpConfig"/></Arg> <Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg> </Call> </New> </New> </Configure>