Enable TLS to replace deprecated SSL protocols

If your security guidelines require the use of new TLS security protocols in place of the deprecated SSL protocols, you need to enable TLS in Windows.

Incoming connections

Service Virtualization uses Microsoft IIS and the related HTTP listener for the implementation of the Service Virtualization HTTP(S) Gateway agent, the REST management service, and Service Virtualization Management.

By default, IIS and the HTTP listener support the security protocols SSL 2.0 and 3.0 for incoming connections. These protocols are no longer considered secure, and are replaced by TLS 1.1 and TLS 1.2 protocols.

IIS and HTTP listener also support TLS 1.1 and 1.2, but TLS is not enabled in most Windows versions by default. If your security guidelines requires use of new security protocols, you need to enable TLS in Windows.

Note:  

  • Enabling TLS improves security settings but may prevent some older clients or services from connecting to Service Virtualization.
  • This change impacts all applications and users using the IIS service on the machine — not only Service Virtualization.

To update the system registry to use TLS instead of SSL:

  1. Run the following script provided by Service Virtualization: setUseTLSInsteadOfSSL.bat, located in ConfigurationTools subfolder of the Service Virtualization Server or Designer installation folder. This script backs up the relevant part of the system registry to your %USERPROFILE% folder and updates the system registry to use TLS instead of SSL.
  2. Restart the computer to apply changes.

Outgoing connections

Outgoing (client) connections from Service Virtualization are not restricted to using TLS by default. Enforcing the use of TLS security protocol for outgoing connections may prevent Service Virtualization from connecting to older real services that are being virtualized, and is therefore not recommended.

You can modify the set of enabled security protocols used by Service Virtualization for outgoing connections by modifying the following entries in the application configuration files. The default values are:

<add key="SV.Https.Client.UseSsl3" value="True" />

<add key="SV.Https.Client.UseTls10" value="True" />

<add key="SV.Https.Client.UseTls11" value="True" />

<add key="SV.Https.Client.UseTls12" value="True" />

By default, the configuration files are located in the following locations:

  • Service Virtualization Server configuration file: C:\Program Files\HPE\HPE Service Virtualization Server\Server\bin\HP.SV.StandaloneServer.exe.config.

  • Designer configuration file: C:\Program Files\HPE\HPE Service Virtualization Designer\Designer\bin\VirtualServiceDesigner.exe.config.

The list of enabled security protocols can also be restricted on the system level, by modification of the registry keys under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

If any security protocol is disabled in the system, it is not possible to use it regardless of the Service Virtualization settings.

For more details about management of security protocols: https://support.microsoft.com/en-us/kb/245030.