Disable SSL3 in Glasshfish

By | May 26, 2017

As we know there are big security concerns about the use of SSL3 so a lot of security audits are demanding it to be disabled in all applications that are exposed with a WEB GUI.

Disabling SSL3 can be done via the admin console.

First SSL is disabled individually on the HTTP listeners of your domain, which are found in the Configurations tree.

Follow the menu:
Configurations → server-config → HTTP Service → Http Listeners

For each of the defined listeners select the SSL tab and un-check the SSL3 option then press the Save button.

gfsec1

Second SSL is disabled individually on the IIOP listeners of your domain, which are found in the Configurations tree.

Follow the menu:
Configurations → server-config → ORB → IIOP Listeners

For each of the defined listeners select the SSL tab and uncheck the SSL3 option then press the Save button.

gfsec2

Note that under the same menu settings we can enable or disable also the ciphers used for the secure connections. It may be the case that some of the ciphers are declared unsafe or they do not meet the requirements of the internal security policies. If this is the case here we can pick and choose to be used only the ciphers we want.

Note: For some versions of glassfish the admin console is corrupting the IIOP configuration and at start-up the application server will complain with an exception as the following:

... 38 more
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: Invalid iiop-listener orb-listener-1. Lazy-init not supported for SSL iiop-listeners
at org.glassfish.enterprise.iiop.impl.GlassFishORBManager.initORB(GlassFishORBManager.java:622)
at org.glassfish.enterprise.iiop.impl.GlassFishORBManager.getORB(GlassFishORBManager.java:263)
at org.glassfish.enterprise.iiop.impl.GlassFishORBFactoryImpl.createORB(GlassFishORBFactoryImpl.java:93)
at org.glassfish.enterprise.iiop.api.GlassFishORBHelper.getORB(GlassFishORBHelper.java:152)
... 40 more
Caused by: java.lang.IllegalStateException: Invalid iiop-listener orb-listener-1. Lazy-init not supported for SSL iiop-listeners
at org.glassfish.enterprise.iiop.impl.GlassFishORBManager.validateIiopListeners(GlassFishORBManager.java:758)
at org.glassfish.enterprise.iiop.impl.GlassFishORBManager.initORB(GlassFishORBManager.java:504)
... 43 more
|#]

To resolve this issue edit the domain configuration:
/opt/glassfish3/glassfish/domains/appdomain/config/domain.xml

Search after the key word “lazy-init”

You will find an XML block similar to the following:


          
 

Delete the ssl tag so the block looks like :

<iiop-listener port="7022" id="orb-listener-1" address="0.0.0.0" lazy-init="true"
 </iiop-listener>

Save the changes and restart the domain.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.