KB Article #179017
Enable TLSv1.0 and TLS1.1 for SecureTransport Admin service
Problem
SecureTransport 5.3.6 only accepts TLS handshake using TLSv1.2 protocol, which might cause compatibility issues with legacy Web Browsers or REST API clients. Unlike other protocols, Admind does not have SSL/TLS protocol selection configuration available in UI.
Resolution
Admin service is based on Apache Tomcat server. A tweak of the Apache Tomcat configuration is necessary to enable TLSv1.0 and TLS1.1 in SecureTransport 5.3.6. The file location is <FILEDRIVEHOME>/tomcat/admin/conf/server.xml
.
The sslProtocol
value near the end of the following line:
<Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="" keystoreProvider="ST" keystoreType="FS" maxThreads="150" minSpareThreads="25" port="0" protocol="com.tumbleweed.st.server.util.tomcat.ConfigurableHttp11Protocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" sslProtocol="TLS"/>
needs to be changed to TLSv1.2
, so the line becomes:
<Connector SSLEnabled="true" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="" keystoreProvider="ST" keystoreType="FS" maxThreads="150" minSpareThreads="25" port="0" protocol="com.tumbleweed.st.server.util.tomcat.ConfigurableHttp11Protocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" sslProtocol="TLSv1.2"/>
This counter-intuitive change would enable TLSv1.0 and TLSv1.1 protocols for the Admin service.