As we know there are big security concerns about the use of SSL3 so a lot of security audits are demanding it to be disabled in all applications that are exposed with a WEB GUI.
Disabling SSL3 can be done via the admin console.
First SSL is disabled individually on the HTTP listeners of your domain, which are found in the Configurations tree.
Follow the menu:
Configurations → server-config → HTTP Service → Http Listeners
For each of the defined listeners select the SSL tab and un-check the SSL3 option then press the Save button.
Second SSL is disabled individually on the IIOP listeners of your domain, which are found in the Configurations tree.
Follow the menu:
Configurations → server-config → ORB → IIOP Listeners
For each of the defined listeners select the SSL tab and uncheck the SSL3 option then press the Save button.
Note that under the same menu settings we can enable or disable also the ciphers used for the secure connections. It may be the case that some of the ciphers are declared unsafe or they do not meet the requirements of the internal security policies. If this is the case here we can pick and choose to be used only the ciphers we want.
Note: For some versions of glassfish the admin console is corrupting the IIOP configuration and at start-up the application server will complain with an exception as the following:
... 38 more Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: Invalid iiop-listener orb-listener-1. Lazy-init not supported for SSL iiop-listeners at org.glassfish.enterprise.iiop.impl.GlassFishORBManager.initORB(GlassFishORBManager.java:622) at org.glassfish.enterprise.iiop.impl.GlassFishORBManager.getORB(GlassFishORBManager.java:263) at org.glassfish.enterprise.iiop.impl.GlassFishORBFactoryImpl.createORB(GlassFishORBFactoryImpl.java:93) at org.glassfish.enterprise.iiop.api.GlassFishORBHelper.getORB(GlassFishORBHelper.java:152) ... 40 more Caused by: java.lang.IllegalStateException: Invalid iiop-listener orb-listener-1. Lazy-init not supported for SSL iiop-listeners at org.glassfish.enterprise.iiop.impl.GlassFishORBManager.validateIiopListeners(GlassFishORBManager.java:758) at org.glassfish.enterprise.iiop.impl.GlassFishORBManager.initORB(GlassFishORBManager.java:504) ... 43 more |#]
To resolve this issue edit the domain configuration:
/opt/glassfish3/glassfish/domains/appdomain/config/domain.xml
Search after the key word “lazy-init”
You will find an XML block similar to the following:
Delete the ssl tag so the block looks like :
<iiop-listener port="7022" id="orb-listener-1" address="0.0.0.0" lazy-init="true" </iiop-listener>
Save the changes and restart the domain.