The following SSL/TLS fields can be configured for protocols:
SSLv3 Enabled
Whether to enable SSLv3 or not.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.ssl3-enabled=[true/false]
TLS Enabled
Whether to enable TLS or not.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.tls-enabled=[true/false]
TLS V1.1 Enabled
Whether to enable TLS V1.1 or not. Will be ignored if TLS is disabled.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.tls11-enabled=[true/false]
TLS V1.2 Enabled
Whether to enable TLS V1.2 or not. Will be ignored if TLS is disabled.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.tls12-enabled=[true/false]
TLS V1.3 Enabled
Whether to enable TLS V1.3 or not. Will be ignored if TLS is disabled.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.tls13-enabled=[true/false]
Support for TLS 1.3 is available with JDK 8 versions after JDK 1.8.0u261, unless you’re using Zulu JDK 1.8.0u222 - 1.8.0u252, in which case you’ll also need to use the Java option -XX:+UseOpenJSSE. This option makes OpenJSSE default TLS provider. OpenJSEE is a JSEE provider created by Azul to support TLS 1.3 on JDK 8. See TLS 1.3 Support in Zulu 8 with OpenJSSE for more information. Also note that this flag can cause problems with the HTTP/2 support. If you using a lower version than 1.8.0u222, checkbox to enable TLS 1.3 will not be visible on the web administration console. |
You will need to add the following Java Option: -Dfish.payara.clientHttpsProtocol=TLSv1.3 to the asadmin script for TLS 1.3 to work with asadmin CLI. This sets the TLS version to 1.3 which will be used by the asadmin client. |
Client Authentication
When enabled, clients will be required to authenticate themselves to the server.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.client-auth-enabled=[true/false]
Certificate Nickname
The alias of the certificate to be supplied on secure requests. The certificate should be present in the server keystore.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.cert-nickname=value
Key Store
The name of the keystore file. A keystore stores the certificate to be sent by the server with responses.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.key-store=value
Trust Store
The name of the trust store file. The trust store stores trusted certificates.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.trust-store=value
Trust Algorithm
The name of the trust management algorithm (e.g. PKIX
) to use for certification path validation.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.trust-algorithm=value
Max Certificate Length
Maximum number of non self-issued intermediate certificates that can exist in a certification path.
This is only valid if the trust algorithm is PKIX
.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.trust-max-cert-length=value
Enabled Ciphers
A list of the server enabled ciphers. This string is stores as a comma separated list of the enabled ciphers
with a +
or a -
at the start of each, depending on whether the cipher is enabled or disabled.
E.g. +TLS_RSA_WITH_AES_256_CBC_SHA,+SSL_RSA_WITH_3DES_EDE_CBC_SHA
.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.ssl3-tls-ciphers=value
Handshake Timeout
The timeout, in millis, for a handshake. After this timeout the handshake will be aborted.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.handshake-timeout-millis=value
TLS Rollback
Whether TLS rollback is enabled or not.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.tls-rollback-enabled=[true/false]
HSTS Enabled
Whether HSTS is enabled. When enabled, the server will respond to requests with the Strict-Transport-Security
header. While these requests often return a 301 directing the client to the secure site, this header instructs the requester to make all connections to this site secure for the next year. The header takes the following form:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
The last 2 attributes are added based on the other HSTS configuration options.
HSTS can be enabled on any HTTP listener. However, it’s meant to be enabled on a secure HTTP listener if an insecure HTTP listener redirects to the secure listener. When browsers receive the Strict-Transport-Security header over HTTPS, they will use HTTPS immediately for all future connections requested over plain HTTP. If the header is retrieved over HTTP, it is ignored by browsers due to security reasons. More information in MDN Docs.
|
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.hsts-enabled=[true/false]
When the configuration value is set to true
, the HSTS header is added with a max-age
property value of 31536000
. The max-age
property is not configurable.
HSTS Subdomains
When enabled in combination with HSTS, Strict-Transport-Security
headers will include the includeSubDomains
attribute. When this is configured, the client will also assume subdomains of the targetted resource require secure connections. The subdomains property is by default not added and needs to be activated by the following Asadmin CLI command.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.hsts-sub-domains=[true/false]
HSTS Preload
When enabled in combination with HSTS, Strict-Transport-Security
headers will include the preload
attribute. When this is configured, the domain of the target resource will be added to the browser preload list, meaning that initial requests to this resource in future won’t be insecure. The preload property is by default not added and needs to be activated by the following Asadmin CLI command.
Asadmin Command:
set configs.config.server-config.network-config.protocols.protocol.${protocol-name}.ssl.hsts-preload=[true/false]