TLS Security Configuration
HCL Local License Server (LLS) supports secure SSL communication over TLS 1.3 protocol and provides backward compatibility for TLS 1.2 protocol. Making changes to the TLS Security Configuration is optional and can be done either before or after LLS is installed. Default configuration uses TLS 1.3 for enhanced security. FQDN (Fully Qualified Domain Name) validation is recommended when generating or using certificates to avoid connectivity issues between LLS and clients.
Before you begin
-
You have downloaded the installer package. See Downloading the installer package.
-
Ensure that the FQDN (Fully Qualified Domain Name) of the host machine is configured correctly. This FQDN must match the Common Name (CN) in the TLS certificate to avoid connectivity issues between the server and clients.
About this task
LLS supports SSL communication to happen over TLS 1.3 and TLS 1.2 for backward compatibility.
By default, LLS runs in SECURED mode, where it allows SSL communication over TLS 1.2 protocol using strong cipher suites only, and also supports TLS 1.3 connections.
Version 5.3 introduces enhanced FQDN validation and improved default security handling when generating certificates using the built-in tlsutil utility.
OpenSSL configuration steps from previous versions are no longer required.
TLS Configuration Modes
| Mode | Description |
|---|---|
| BASIC | Allows SSL communication over TLS 1.2 with all cipher suites and also supports TLS 1.3 protocol connections. This setting is not recommended for modern environments but can be used for legacy systems requiring broader cipher support. |
| SECURED (Default) | Allows SSL communication over TLS 1.2 protocol with strong cipher suites only, and also supports TLS 1.3 connections. |
| MODERN | Allows SSL communication over TLS 1.3 only, with automatic cipher selection for maximum security. |
Procedure
-
Extract the installer package:
- On Windows, use a zip program such as WinZip or 7-Zip.
- On Linux, enter the following
command:
tar -xvzf packageName
- Go to the directory where the config.json file is located.
-
In the config.json file the tls_mode is set to SECURED.
"security": { "tls_mode": "SECURED", } - Modify the tls_mode value to BASIC, SECURED, or MODERN, as required for your configuration.
-
Save the file after making the changes.
"TLS configuration modes:", BASIC - TLS 1.2 with all cipher suites and also supports TLS 1.3 protocol connections. SECURED - TLS 1.2 with strong cipher suites only and also supports TLS 1.3 connections. MODERN - TLS 1.3 only, with automatic cipher selection.Restarting the LLS Service
You must restart the LLS service whenever changes are made to the config.json file after installation.
-
On Windows, open Windows Services (services.msc) to start, stop, or restart the HCL Local License Server service.
On Linux, run the following commands:
systemctl stop HCL-Local-License-Server-5.3.service systemctl start HCL-Local-License-Server-5.3.service systemctl restart HCL-Local-License-Server-5.3.service
Note:The service name has been updated to HCL-Local-License-Server-5.3.service to reflect the new version.
-