JobScheduler Secure Operation - Restricting use of Ciphers with Java

Summary

• Ciphers are used to negotiate an HTTPS connection and to encrypt an HTTPS connection between JOC Cockpit, Master and Agents. 
• You can use Java directives to restrict use of protocols such as TLSv1, TLSv1.1 etc. and to restrict use of ciphers for string encryption.
• Consider that such changes will not disable the availability of protocols and ciphers but will add restrictions when being used with JOC Cockpit, Master and Agents.
• A more secure approach is the use of certificates that are based on strong ciphers and use of ECDSA certificates as such certificates force clients, e.g. the user browser, to use strong encryption.

Restricting use of ciphers with the java.security file

• The Oracle® documentation says:

  • In some environments, certain algorithms or key lengths may be undesirable when using TLS. The Oracle JDK uses the jdk.certpath.disabledAlgorithms and jdk.tls.disabledAlgorithm Security Properties to disable algorithms during TLS protocol negotiation, including version negotiation, cipher suites selection, peer authentication, and key exchange mechanisms. Note that these Security Properties are not guaranteed to be used by other JDK implementations. See the <java-home>/lib/security/java.security file for information about the syntax of these Security Properties and their current active values.

    • jdk.certpath.disabledAlgorithms Property: CertPath code uses this Security Property to determine which algorithms should not be allowed during CertPath checking. For example, when a TLS server sends an identifying certificate chain, a client TrustManager that uses a CertPath implementation to verify the received chain will not allow the stated conditions. For example, the following line blocks any MD2-based certificate, as well as SHA1 TLSServer certificates that chain to trust anchors that are pre-installed in the cacaerts keystore. Likewise, this line blocks any RSA key less than 1024 bits.

      jdk.certpath.disabledAlgorithms=MD2, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024

    • jdk.tls.disabledAlgorithms Property: SunJSSE code uses this Security Property to disable TLS protocols, cipher suites, keys, and so on. The syntax is similar to the jdk.certpath.disabledAlgorithms Security Property. For example, the following line disables the SSLv3 algorithm and all of the TLS_*_RC4_* cipher suites:

      jdk.tls.disabledAlgorithms=SSLv3, RC4

• You can restrict use of ciphers with the above settings, however, consider that this will not disable availability of protocols and ciphers. See an example to exclude use of TLS version 1 and 1.1:
  • jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, TLSv1, TLSv1.1
• Consider that the java.security file is not enforced, any Java application can use its own version of this file by using the -Djava.security.properties=<URL> option and it can overwrite individual properties. Therefore changes to directives in the java.security file will not make your system more secure, they prevent you from shooting into your foot.

Use of certificates with strong encryption

• When using RSA certificates consider to apply a larger key size as e.g. 2048 or 4096 bits.
• When using ECDSA certificates then due to the algorithms in use the key size is not that important.
• It is therefore recommended to use ECDSA certificates as this forces clients to use ECDSA ciphers with strong encryption.