Replicate on Centos 7 - Disabling Secure Renegotiation
I've already raised a ticket (2..) around this so just looking for some more informal discussion around this scenario and potential fixes.
We run Replicate (220.127.116.114 atm but upgrade coming shortly) on Centos 7 in a bespoke docker built container. We interact with Replicate via the Linux UI from windows machines. Installing the UI on a Windows Machine (or QEM) is not an option at the moment.
Support suggest we disable Secure Renegotiation via the OS properties but I am struggling to see how. If we exclude the options of using a different OS (Centos 7 supposed TLS 1.2 / OpenSSL 1.0.1 only) I believe we can only achieve this by disabling it in the java system properties.
However, the only process that is running (outside of the entrypoint start_replicate.sh) is repctl. I can't actually see java running at all, so I can only presume that anything related to java is actually compiled within repctl.
What this also means is I can't truely understand how I would pass any options to affect java use by repctl within the container.
I've tried changing the two java.security files that I can see, one being under the replicate installation path (opt/attunity/replicate/jvm/conf/security/java.security), and the other under the standard java installation path (/usr/lib/jvm/java-11-openjdk-18.104.22.168.9-1.el7_9.x86_64/conf/security/java.security). I've added jdk.tls.rejectClientInitiatedRenegotiation=true to both these files as part of my image build, so that when repctl is actually started these options already exist.
I've also setting the env JAVA_OPTS to include -Djdk.tls.rejectClientInitiatedRenegotiation=true, as well as passing this value as part of the call to start repctl.
As Steve indicates, the support case is probably the most solid road to useful statement for your security team.