The material that follows explains how to enforce the usage of TLSv1.2.
EnvironmentEnforcing TLS 1.2 is possible if the UrbanCode Deploy server, relay, and agent are running a JVM version that supports this protocol. For more information on such JVM versions, see: Oracle JRE and JDK Cryptographic Roadmap. For connections to external tools (LDAP servers, Database servers, and middleware that the plug-ins deploy to), consider that the connections fail if those external tools do not support TLSv1.2 after you enforce it as the only supported protocol in UrbanCode Deploy.
UrbanCode Deploy Server: HTTPS protocolThe HTTPS protocol is configured in this file: <server>/opt/tomcat/conf/server.xml.
This file contains the following relevant entries: <Connector port="${install.server.web.https.port}"
address="${install.server.web.ip}"
server="SERVER"
maxThreads="150"
enableLookups="false"
acceptCount="100"
debug="0"
connectionTimeout="20000"
disableUploadTimeout="true"
compression="1024"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/javascript,text/css,text/plain,application/json"
algorithm="${install.server.ssl.algorithm}"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
URIEncoding="UTF-8"
ciphers="${install.server.ssl.enabledCiphers}"
sslEnabledProtocols="${install.server.ssl.enabledProtocols}"
keystoreFile="${tomcat.keystore.file}"
keyAlias="${tomcat.key.alias}"
keystorePass="${tomcat.keystore.password}" />UrbanCode Deploy Server: JMS Protocol
The JMS protocol is configured in this file: <server>/conf/server/activemq.xml. The relevant entries are as follows:<transportConnectors>
<transportConnector uri="ah3://${server.host}:${server.jms.port}?transport.enabledProtocols=${install.server.ssl.enabledProtocols}&transport.enabledCipherSuites=${install.server.ssl.enabledCiphers}"/>
</transportConnectors>UrbanCode Deploy Server: LDAP integration
UrbanCode Deploy Server: JDBC connection to the database server
JDBC is used to connect UrbanCode Deploy to the backend database.
DB2
See configuring SSL support in a DB2 instance. Configure the DB2 instance according to the instructions, and test after you compete the configuration.
Postgres
Connection string: connectionString=jdbc:postgresql://dbhost/dummy?ssl=true jdbcDriver=org.postgresql.Driver jdbcJar=C:\IBM\UCD\ucd6.2.3\623agent1\postgresql-42.1.4.jar.
Import the database certificate to the UrbanCode Deploy Agent Java keystore.
The latest available plug-in version is Version 11, see .Microsoft SQL Server
These results can be undesirable if one of the involved components does not support TLS v1.2. You must make sure that the JDBC drivers support TLS v1.2. To ensure this support, change the jdk.tls.disabledAlgorithms line in jre/lib/security/java.security to jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1. You can also pass the ucd-server/bin/set_env JAVA_OPTS string through a java.security file.
See understanding SSL Support.
The encrypt=true uses TLS/SSL.
Do not blanket trustServerCertificate=false. Every SSL certificate from Microsoft SQL server uses the default JRE's trust store jre/lib/security/cacerts.
Use hostNameInCertificate=yes to verify that DNS and SubjectAltName in the SSL certificate are the same.
For trustStore=/my/own/trustStore.jks, do not use the default JRE's trust store jre/lib/security/cacert, use a separate one.
The trustStorePassword=changeit is the password for the trust store.
UrbanCode Deploy Agent