Skip to content
CA Network Flow Analysis - 9.3.8
Documentation powered by DocOps

Enable TLS 1.2 for HTTPS Connection

Last update July 19, 2018

Transport Layer Security (TLS) is a cryptographic protocol that provides communications security over a network.

Prerequisites

Create the required certificate files before enabling TLS.

Follow these steps:

Note: Ensure that you follow these steps properly or you might lose the RDP connection.

  1. Run gpedit.msc from the NFA installed system.
  2. Navigate to Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Security.

  3. Double click Require use of specific security layer for remote (RDP) connections.

  4. Click Enabled.

  5. From the Security Layer drop-down list, select Negotiate.

  6. Click OK.

  7. Back up the registry and create the following registry for TLS 1.0 and TLS 1.1:

    1. Key: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
      Value: Enabled
      Value type: REG_DWORD
      Value Data: 0

    2. Key: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
      Value: Enabled
      Value type: REG_DWORD
      Value Data: 0

  8. Navigate to the install_path\Portal\SSO\etc.

  9. Edit the jetty-ssl-context.xml file and add the following lines after tag <Set name="ExcludeCipherSuites">.

    <Set>

    .

    .

    <Array type="String">
     <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
     <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
     <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
     <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
     <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
     <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
     <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
     <Item>SSL_RSA_WITH_RC4_128_MD5</Item>
     <Item>TLS_RSA_WITH_RC4_128_MD5</Item>
     <Item>TLS_RSA_WITH_RC4_128_SHA</Item>
     <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
     <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
     <Item>SSL_ECDHE_RSA_WITH_RC4_128_SHA</Item>
     <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
     <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
     <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
     <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
     <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
    </Array>
    </Set>
    <!--<Get name="sslContextFactory">-->
        <Set name="excludeProtocols">
         <Array type="java.lang.String">
         <Item>SSL</Item>
         <Item>SSLv2</Item>
         <Item>SSLv2Hello</Item>
         <Item>SSLv3</Item>
         <Item>TLSv1</Item>
         <Item>TLSv1.1</Item>
         </Array>
        </Set>

    Note: The following steps 10 and 11 are required only for CA PC integration using HTTPS or TLS.

  10. Edit install_path/RIB/start.ini.

    1. Comment the following lines to disable HTTP communication.

      --module=http
      jetty.port=8681
    2. Uncomment the following lines and edit as necessary (the keystore.password and keymanager.password should be the same value) to enable https communication.

      --module=https
      jetty.keystore=install_path/certs/nfa-console-keystore.pfx
      jetty.keystore.password=somepassword
      jetty.keymanager.password=somepassword
      jetty.truststore=install_path/certs/nfa-console-truststore.pfx
      jetty.truststore.password=somepassword
      https.port=8681
  11. Edit install_path/RIB/etc/jetty-ssl.xml, and perform the following:

    1. To restrict to only certain transport layer protocols, uncomment and edit the following before the closing configures tag (this restricts to only TLS 1.2):

      <Call name="addExcludeProtocols">

          <Arg>

           <Array type="java.lang.String">

             <Item>SSL</Item>

             <Item>SSLv2</Item>

             <Item>SSLv2Hello</Item>

             <Item>SSLv3</Item>

             <Item>TLSv1</Item>

             <Item>TLSv1.1</Item>

           </Array>

          </Arg>

        </Call>

    2. To exclude the ciphers, add the following lines after <Set name="ExcludeCipherSuites"> tag:

       <Set> 

         <Array type="String">

            <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>

            <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>

            <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>

            <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>

            <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>

            <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>

            <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>

        <Item>SSL_RSA_WITH_RC4_128_MD5</Item>

        <Item>TLS_RSA_WITH_RC4_128_MD5</Item>

        <Item>TLS_RSA_WITH_RC4_128_SHA</Item>

        <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
        <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>

        <Item>SSL_ECDHE_RSA_WITH_RC4_128_SHA</Item>

        <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>

        <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>

        <Item>TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>

        <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>

        <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>

          </Array>

        </Set>

  12. Confirm that ports 8382 and 8681 are open if firewalls are enabled.

  13. Restart the NFA Console services.

Was this helpful?

Please log in to post comments.

  1. Dan White
    2018-07-06 12:44

    On my NFA 9.3.8 Console, to which the steps in this section apply, almost none of the services listed in step 13 exist - or not with those names: I have: CA MySql CA NFA Ribsource CA Performance Centre SSO

    NetQos Reporter Manager Service NetQos Reporter/Analyzer General Services NetQos Reporter/Analyzer Pump Service NetQos Reporter/Analyzer Query Services NetQos Reporter/Analyzer Watchdog NetQos Reporter/Analyzer Report Service

    I think the list given is perhaps generic, also includes Harvester which may not apply here, and the names don't match this console, 9.3.8 is a recent version of NFA! The names are sufficiently different from actual to make it impossible to follow the list. Please correct the list to show the correct service names and hence correct ordering for stopping/starting (or restarting) them too?