Support for TLS 1.2

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Support for TLS 1.2

HealthInfoNet
Hello, I inherited a project here at HealthInfoNet from a former employee who configured the Connect gateway to retrieve CCD documents from the VA.  This is a complex configuration with many components.  We use Orion as a vendor and the Connect product talks to an instance of Orion Rhapsody.   It is also configured to connect to a MySQL database.  The Connect server is running on an instance of Glassfish.  I am for all intents and purposes a complete novice when it comes to understanding this system.

Yesterday we noticed that our users were unable to retrieve CCD documents from the VA through our clinical portal.  I believe the relevant error in the log file is

Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

When I asked the VA about this, the reply was "We moved to support for TLS 1.2 only yesterday and that is the most likely root cause.  Does your production system support communications over TLS 1.2?  Sequoia Project just issued guidance recommending organizations support TLS 1.2 and stating it will be mandatory by February 2018 but as a federal agency we were obligated to disable TLS 1.1 and 1.0 yesterday."  

Could someone help me understand how to configure Connect to use TLS 1.2?   I believe the version we have installed is 4.3.

Reply | Threaded
Open this post in threaded view
|

Re: Support for TLS 1.2

Sovann Huynh
Administrator
Hi there, CONNECT does not actually set the TLS versions. This is handled via GlassFish settings. Take a look at https://stackoverflow.com/questions/39504042/enable-tls1-2-on-glassfish-3-1-2-2 as well as other GlassFish TLS documentation.

Thanks,

Sovann
Sovann
CONNECT Product Team Member
Reply | Threaded
Open this post in threaded view
|

Re: Support for TLS 1.2

HealthInfoNet
This post was updated on .
Hi Sovann, Many thanks for your reply.

I've tried:

1. Downloaded the patch grizzly-config.jar and installed it in glassfish/modules folder.
Restarted Glassfish.
(See https://github.com/javaee/glassfish/issues/18949)

2. Ran
asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.tls12-enabled=true
https://stackoverflow.com/questions/34662094/how-to-make-glassfish-4-0-webservice-use-tlsv1-1-or-tlsv1-2

No joy so far. Still seeing the error:
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

These solutions seem off-track though, because it seems like we want to tell Glassfish to access the VA using TLS 1.2, not necessarily that Glassfish has to listen with TLS 1.2
Reply | Threaded
Open this post in threaded view
|

Re: Support for TLS 1.2

HealthInfoNet
The solution turned out to be setting a JVM option in the Glassfish domain1 domain.xml file:
<java-config>
...
   <jvm-options>-Dhttps.protocols=TLSv1.2</jvm-options>
</java-config>
And then restarting the domain1 service.
Reply | Threaded
Open this post in threaded view
|

Re: Support for TLS 1.2

Sovann Huynh
Administrator
Great, thanks for sharing the solution :)

Sovann
Sovann
CONNECT Product Team Member