How to enable and use TLS1.2 Only properly for Sterling B2B Integrator in Non-NIST mode?

Body

I get this type of questions quite a bit recently as more business partners are moving to the more secure platform of utilizing TLS 1.2 for SSL communications.

It is to note that your Sterling B2B Integrator will negotiate in SSL communication with the more secure protocol mechanism and downward to the lower less secure protocol mechanism if the options are available.

For example: TLS1.2, then, TLS 1, etc.

In short, here is the how to:

You can find out the supported cipher suites list in your <install_directory>\install\properties\security.properties file if you  are on 5020402+ builds.                                                 
                                                                        
For example:                                                            
                                                                        
#SSL Customizable Settings
                                              
# WeakCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA                                       

# StrongCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA                                     

# AllCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA                                   
# JDKCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA

StrongTLS1.2OnlyCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256

SSLHelloProtocol=TLS1-TLS1.2

Next, add the following to <install_directory>\install\properties\customer_overrides.properties file:

security.WeakCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256

security.StrongCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256       
security.AllCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256

security.JDKCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256

security.SSLHelloProtocol=TLS1.2

Save the file and Restart your Sterling B2B Integrator in order for the changes to take effect.

The above changes will affect the following SSL Communications:

1.  FTP/S

2.  HTTP/S

3.  AS2 with SSL Must Enabled

4.  Swiftnet with SSL Must Enabled

The changes does not affect Connect:Direct with Secure Plus setup since we hard code the values for usage

Connect:Direct with Secure Plus setup can all be maintained within the Sterling B2B Integrator dashboard configurations when you edit the Sterling Connect:Direct Server Adapter and the related Node setup.

However, the changes here will affect all of your SSL communications to your other business partners that still requires lower TLS or SSL versions.

In order for a successful SSL/TLS handshake to happen, a few things must occur to begin with:                                                      
                                                                        
1.  Matching certificates in use                                      
2.  SSL/TLS version match                                               
3.  Cipher Suites match                                                 
4.  One way (server authentication) vs Two way (client authentication) SSL/TLS handshake setup match.

NOTE:  One cannot see the SSL/TLS version details unless you are capturing the SSL/TLS traffic with a network packet capture tool.  i.e. WireShark, tcpdump, etc.

And what about the dashboard base port+1 TLS1.2 Only access?

For that, starting from SB2BI 5020500_7 build and above, we have made a code fix to address the issue.

See details here:  IT10038: BASE SSL PORT does not support TLS 1.2 ONLY ACCESS

And here is the How to enable specific strong Ciphers while accessing Dashboard on baseport+1.

If you have more questions that would require in depth research, please open a Service Request / PMR with us.  We will be here to further assist you!