SSL/TLS Options
The following SSL/TLS fields can be configured for protocols:
SSLv3 Enabled
Whether to enable SSLv3 or not.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.ssl3-enabled=[true/false]
TLS Enabled
Whether to enable TLS or not.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.tls-enabled=[true/false]
TLS V1.1 Enabled
Whether to enable TLS V1.1 or not. Will be ignored if TLS is disabled.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.tls11-enabled=[true/false]
TLS V1.2 Enabled
Whether to enable TLS V1.2 or not. Will be ignored if TLS is disabled.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.tls12-enabled=[true/false]
TLS V1.3 Enabled
Whether to enable TLS V1.3 or not. Will be ignored if TLS is disabled.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.tls13-enabled=[true/false]
| Support for TLS 1.3 is available with JDK 8 versions after JDK 1.8.0u261, unless you’re using Zulu JDK 1.8.0u222 - 1.8.0u252, in which case you’ll also need to use the Java option -XX:+UseOpenJSSE. This option makes OpenJSSE default TLS provider. OpenJSEE is a JSEE provider created by Azul to support TLS 1.3 on JDK 8. See TLS 1.3 Support in Zulu 8 with OpenJSSE for more information. Also note that this flag can cause problems with the HTTP/2 support. If you using a lower version than 1.8.0u222, checkbox to enable TLS 1.3 will not be visible on the web administration console. |
| You will need to add the following Java Option: -Dfish.payara.clientHttpsProtocol=TLSv1.3 to the asadmin script for TLS 1.3 to work with asadmin CLI. This sets the TLS version to 1.3 which will be used by the asadmin client. |
Client Authentication
When enabled, clients will be required to authenticate themselves to the server.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.client-auth-enabled=[true/false]
Certificate Nickname
The alias of the certificate to be supplied on secure requests. The certificate should be present in the server keystore.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.cert-nickname=value
Key Store
The name of the keystore file. A keystore stores the certificate to be sent by the server with responses.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.key-store=value
Trust Store
The name of the trust store file. The trust store stores trusted certificates.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.trust-store=value
Trust Algorithm
The name of the trust management algorithm (e.g. PKIX) to use for certification path validation.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.trust-algorithm=value
Max Certificate Length
Maximum number of non self-issued intermediate certificates that can exist in a certification path.
This is only valid if the trust algorithm is PKIX.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.trust-max-cert-length=value
Enabled Ciphers
A list of the server enabled ciphers. This string is stores as a comma separated list of the enabled ciphers
with a + or a - at the start of each, depending on whether the cipher is enabled or disabled.
E.g. +TLS_RSA_WITH_AES_256_CBC_SHA,+SSL_RSA_WITH_3DES_EDE_CBC_SHA.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.ssl3-tls-ciphers=value