Supported TLS and SSL protocols and ciphers
HCL Launch supports multiple SSL protocols and ciphers for communication between servers.
HCL Launch supports TLSv1.2, and TLSv1.3 SSL protocols. HCL Launch supports only the SSLv3 protocol if older agents require its use. See Upgrading agents.
- Limiting and disabling SSL and TLS protocols and ciphers is done at the JVM level rather than the application level.
- Support for TLSv1.0 and TLSv1.1 is deprecated.
HCL Launch uses SSL in communication between the web UI and the server and between servers that use ActiveMQ. The SSL certificates that control both types of communication use the Java™ KeyStore (JKS) format. The certificates are generated by an RSA key with a 2048-bit length and are signed by a SHA256withRSA algorithm.
- By default, the web UI connects on port 8443. You find its certificate in the opt/tomcat/conf/tomcat.keystore directory. See SSL configuration.
The list of SSL ciphers you can use depends on which ciphers the Java crypto provider of the JRE supports on which you installed your HCL Launch server, relay and agent.
IBM Java 8 with the IBMJSSE2 crypto provider support: https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/ciphersuites.html
Oracle/OpenJDK Java 8 with the SUN crypto provider support: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites
The following SSL cipher suites are enabled by default:
- AES_256_GCM_SHA384
- AES_128_GCM_SHA256
- AES_128_CCM_8_SHA256
- AES_128_CCM_SHA256
- CHACHA20_POLY1305_SHA256
- ECDH_ECDSA_WITH_AES_128_CBC_SHA
- ECDH_ECDSA_WITH_AES_128_CBC_SHA256
- ECDH_ECDSA_WITH_AES_128_GCM_SHA256
- ECDH_ECDSA_WITH_AES_256_CBC_SHA
- ECDH_ECDSA_WITH_AES_256_CBC_SHA384
- ECDH_ECDSA_WITH_AES_256_GCM_SHA384
- ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- ECDH_RSA_WITH_AES_128_CBC_SHA
- ECDH_RSA_WITH_AES_128_CBC_SHA256
- ECDH_RSA_WITH_AES_128_GCM_SHA256
- ECDH_RSA_WITH_AES_256_CBC_SHA
- ECDH_RSA_WITH_AES_256_CBC_SHA384
- ECDH_RSA_WITH_AES_256_GCM_SHA384
- ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- ECDHE_RSA_WITH_AES_128_CBC_SHA
- ECDHE_RSA_WITH_AES_128_CBC_SHA256
- ECDHE_RSA_WITH_AES_128_GCM_SHA256
- ECDHE_RSA_WITH_AES_256_CBC_SHA
- ECDHE_RSA_WITH_AES_256_CBC_SHA384
- ECDHE_RSA_WITH_AES_256_GCM_SHA384
- ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- RSA_WITH_AES_128_CBC_SHA
- RSA_WITH_AES_128_CBC_SHA256
- RSA_WITH_AES_128_GCM_SHA256
- RSA_WITH_AES_256_CBC_SHA
- RSA_WITH_AES_256_CBC_SHA256
- RSA_WITH_AES_256_GCM_SHA384
- RSA_WITH_CAMELLIA_128_CBC_SHA
- RSA_WITH_CAMELLIA_128_CBC_SHA256
- RSA_WITH_CAMELLIA_256_CBC_SHA
- RSA_WITH_CAMELLIA_256_CBC_SHA256