Configure SSL/TLS Ciphers and Security Settings at JVM level

Environment

• Red Hat JBoss Enterprise Application Platform
• Java
  • 7
  • 8
  • 11
• SSL/TLS

Issue

• Disable weak ciphers
• Configure java security settings

Resolution

Ciphers can be disabled in the JVM level by using the "jdk.tls.disabledAlgorithms" security property that is located in the java.security file. For Java 8 and earlier, this file is located in $JAVA_HOME/jre/lib/security/java.security. For Java 9 and later, this file is located in $JAVA_HOME/conf/security/java.security. The jdk.tls.disabledAlgorithms property is available since OpenJDK 7 and Oracle 6u91. Other security properties can be set there as well.

For example to disable RC4 ciphers and SSL ver. 3 you can do:

jdk.tls.disabledAlgorithms=RC4,SSLv3

You can also disable specific ciphers. For example, this disables a particular cipher:

jdk.tls.disabledAlgorithms=TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

You can also provide an alternate java.security file by setting the system property java.security.properties.

If you use two equals, "=", then it will replace the entire java.security file. For example:

java -Djava.security.properties==/path/to/replacement/java.security.properties

If you use a single "=" it will just append, for example:

java -Djava.security.properties=/path/to/additional/java.security.properties

Note if security.overridePropertiesFile=false in the default java.security file, overriding it will fail. The default is true

• More information can be found Content from docs.oracle.com is not included.here

• For the client side, see How to restrict JBoss EAP to only allow TLSv1.2

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.