Skip to main content
NetApp Knowledge Base

Does it have a negative impact if SCF 4.3.3 server stops accepting TLS 1.0 and 1.1 ?

Views:
59
Visibility:
Public
Votes:
2
Category:
snap-creator-framework
Specialty:
SNAPX
Last Updated:

Applies to

Snap Creator Framework (SCF) 4.3.3Px

Answer

No, with one caveat (*).
 
Even if the scAgent is using HANA in the APP_NAME configuration, which is the only Plug-in that will create connections back to scServer, when the version of the scAgent is one that requires the IP to setup the SSL certificate, it will work without TLSv1.0 or TLSv1.1, using only TLSv1.2 (or higher).
 

WARNING

To keep up to date with SSL vulnerabilities in java, the Java Virtual Machine (JVM, i.e. the JRE or OpenJDK) needs to be upgraded to a recent release (**).

Additional Information

*) Make sure to use a modern version of Java 8 (at least revision 202 or higher), for proper TLSv1.2 support, and at least version 4.3.3P3 of Snap Creator Framework on both scServer and scAgent side - 4.3.3P3 adds an AIX fix for using only TLSv1.2, which was already working under Windows and Linux.
**) Current versions of the JRE 1.8.0 already have TLSv1.0 and TLSv1.1 disabled in the settings, and will also remove weak ciphers from TLSv1.2.
 
Note: Snap Creator Framework, both scServer and scAgent are Java applications and use a java virtual machine (JVM). The JRE (Java Runtime) has its own SSL security settings, hence on Windows, changing the TLS settings in the Windows registry will change neither the scServer (on port 443) nor the scAgent (on Port 9090) behaviors.
 
Instead, the security allowances and disallowances are set in the JRE's lib/security/java.security file, and the following entry will disable TLSv1.0 and TLSv1.1 on older Java 8 runtimes:
jdk.tls.disabledAlgorithms=SSL,SSLv2,SSLv3, TLSv1, TLSv1.1,MD5, SSLv3, DSA, RSA keySize < 2048

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.