Go to primary content
Agile Product Lifecycle Management Security Guide
Release 9.3.4
E52156-02
  Go To Table Of Contents
Contents
Previous
Previous 		  

E Deselecting SSLv3

The following are instructions to mitigate the SSLv3 vulnerability ("Poodle Attack") in the Oracle E-Business Suite.

E.1 Deselecting SSL 3.0

Follow these steps to deselect SSL 3.0.

E.1.1 Excluding SSL 3.0 on Oracle WebLogic Server 12c

Add the following system property to the setUserOverrides file located in the <Agile_HOME>\agileDomain\bin folder:

set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.SSL.protocolVersion=TLS1

The property for Unix: export JAVA_OPTIONS="$JAVA_OPTIONS -Dweblogic.security.SSL.protocolVersion=TLS1"

Oracle WebLogic Server 12c uses JSSE as the default SSL implementation. This setting enables any protocol that starts with "TLS".

E.1.2 Excluding SSL 3.0 on Tomcat V7

Add the sslEnabledProtocols setting and remove the sslProtocol="TLS" in the server.xml file:

<Connector protocol="org.apache.coyote.http11.Http11Protocol"

port="8443" maxThreads="200"

scheme="https" secure="true" SSLEnabled="true"

keystoreFile="C:\fm-keystore-934\fm-keystore.jsk"

keystorePass="agile123" keyAlias="ssl"

clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"/>

E.1.2.1 Disabling SSL 3.0 for Applets and Webstarts

If you have multiple JREs installed, you must identify which JRE is used locally, then navigate to its installation folder and run %JRE_HOME%\bin\javacpl.exe to start the Java Control Panel:

  1. Click the Advanced tab.

  2. Under Advanced Security Settings, deselect Use SSL 3.0.

  3. Click Apply.

  4. Click the Java tab.

  5. Click View... to view the Java Runtime settings.

  6. Add -Dweblogic.security.SSL.protocolVersion=TLS1 to the Runtime Parameters field for the selected JRE.

  7. Click OK.


  8. Note:

    Changes made to the Control Panel while the browser is open take effect only after the browser is restarted. Java WebStart applications, like the Agile PLM Java Client, must also be restarted for changes to take effect.

E.1.3 Disabling SSL 3.0 for Java Applications

Table E-1 System Properties to Disable SSL 3.0

JDK Version System Property to Disable SSL 3.0

JDK 5, 6, 7

java -Dhttps.protocols="TLSv1" -Dweblogic.security.SSL.protocolVersion=TLS1 <MyApp>

JDK 8 and above

Java

-Dweblogic.security.SSL.protocolVersion-TLS1

-Dhttps.protocols="TLSv1, TLSv1.1, TLSv1.2"

-Djdk.tls.client.protocols="TLSv1, TLSv1.1,TLSv1.2" <MyApp>

E.1.3.1 Disabling SSL 3.0 for Browsers

Table E-2 Steps to Disable SSL 3.0 By Browser

Browser Steps to disable SSL 3.0

Internet Explorer

  1. On the Internet Explorer Tools menu, click Internet Options.

  2. In the Internet Options dialog box, click the Advanced tab.

  3. In the Security category, uncheck Use SSL 3.0 and make sure the following are checked: Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2 (if available). Note: It is important to check consecutive versions. Not selecting consecutive versions could result in connection errors.

  4. Click OK.

  5. Exit and restart Internet Explorer.

Mozilla Firefox

  1. Type about:config in the Firefox address bar and press Enter.

  2. Click I'll be careful, I promise!

  3. Type security.tls.version in the search bar.

  4. Double-click the preference of "security.tls.version.min" and set its value to 1.

  5. Restart Firefox.

Alternatively, you can install the Firefox Extension SSL Version Control which provides a graphical way to specify the minimum SSL version.

Chrome

Chrome does not have a configurable setting in the user interface to turn off SSL 3.0. Instead, Chrome needs to be told not to use SSL 3.0 at launch. To automatically launch Chrome with SSL 3.0 disabled, run Chrome with the command Chrome.exe -ssl-version-min=tls1 to specify that the minimum version of SSL to be used is TLs 1.0.

Safari

There is no setting for Safari to disable SSL 3.0. You must upgrade the Safari browser to the latest version. Apple has released Security Update 2014-005 which disables CBC-mode ciphers in coordination with SSL 3.0.

  Previous
Previous 
  Go To Table Of Contents
Contents