ALM QC - Jetty PFS Configuration

Hi,

how can I Configure my ALM Installation for perfect forward secrecy + TLS1.2.

I cant find anything in the documentation.

Tags:

  • Suggested Answer

    0

    Hi Toni,

    In the ALM installation guide is the basic TLS-configuration described.

    For PFS you just need to reduce the allowed cipher suites to the following

    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

    Here's my sample Config from jetty-ssl.xml. Don't forget to

    <Configure id="Server" class="org.eclipse.jetty.server.Server">
    
        <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
          <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="conf/alm-test.jks"/></Set>
          <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="mysecret"/></Set>
          <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="mysecret"/></Set>
          <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="conf/alm-test.jks"/></Set>
          <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="mysecret"/></Set>
          <Set name="EndpointIdentificationAlgorithm"></Set>
          <Set name="IncludeCipherSuites">
                <Array type="String">
                    <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
                    <Item>TLS_CHACHA20_POLY1305_SHA256</Item>
                    <Item>TLS_AES_256_GCM_SHA384</Item>
                </Array>
            </Set>
            <Set name="IncludeProtocols">
                <Array type="java.lang.String">
                    <Item>TLSv1.2</Item>
                    <Item>TLSv1.3</Item>
                </Array>
            </Set>
    
          <!-- =========================================================== -->
          <!-- Create a TLS specific HttpConfiguration based on the        -->
          <!-- common HttpConfiguration defined in jetty.xml               -->
          <!-- Add a SecureRequestCustomizer to extract certificate and    -->
          <!-- session information                                         -->
          <!-- =========================================================== -->
          <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
            <Arg><Ref refid="httpConfig"/></Arg>
            <Call name="addCustomizer">
              <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
            </Call>
          </New>
    
        </New>
    
    </Configure>