Configure the Transfer CFT network security

To enhance network security, you can now define the accepted TLS protocols and cipher suites that Central Governance allows for Transfer CFT registration and usage.

Note As of Central Governance 1.1.3 SP18, the Transport Layer Security (TLS) 1.0 and 1.1 protocols are deprecated. The JRE requires TLS 1.2 or higher.

Configure accepted TLS versions

  1. Navigate to the $CG_HOME/runtime/com.axway.nodes.cftconnector_node.../cft-connector.properties file.
  2. Open the file with a text editor.
  3. Modify the line webserver.protocols.included to list the TLS versions that you want to accept. For example, to effectively exclude TLSv1:
  4. webserver.protocols.included=TLSv1.1,TLSv1.2
  5. Save and close the file.
  6. Restart Central Governance.
Caution   If a Transfer CFTs uses a TLS version that is not included in the webserver.protocols.included definition, it cannot register with Central Governance. Additionally, any registered Transfer CFTs that use a TLS version that you are not including in the webserver.protocols.included definition become unreachable after completing the above procedure.
Note As of SP12, the TLSv1 protocol and 3DES cipher suites are no longer allowed by default. Consequently, to continue using Transfer CFT 3.1.3 with Central Governance requires a modification to the cft-connector.properties file. Update the configuration file as follows:
webserver.protocols.included=TLSv1,TLSv1.1,TLSv1.2

Disable specific cipher suites

To disable a cipher suite or suites:

  1. Navigate to the $CG_HOME/runtime/com.axway.nodes.cftconnector_node.../cft-connector.properties file.
  2. Open the file with a text editor.
  3. Modify the line webserver.protocols.included to list the cipher suites that you want to exclude.
  4. For example, to disable the MD5|SHA|SHA1 cipher suites, modify the content as follows: webserver.ciphersuites.excluded=^.*_(MD5|SHA|SHA1)$
  5. Save and close the file.
  6. Restart Central Governance.
Note To disable all ciphers suites used by Transfer CFT 3.1.3, for example, set: webserver.ciphersuites.excluded=SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA
Note If you exclude a cipher suite, or several, but there are others that are still used communally by both Central Governance and Transfer CFT, then the Transfer CFT can still register and inter-operate with Central Governance. It is only in the case where there are no mutual cipher suites that registration is not possible.

 

Central Governance | Document Directory

Related Links