Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The transport level security protocol of the Tomcat server is configured in the <PRODUCT_HOME>/conf/tomcat/catalina-server.xml file. Note that the ssLprotocol attribute is set to "TLS" by default. 
See the following topics for detailed configuration options:

...

  1. Open the <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file. 
  2. Make a backup of the catalina-server.xml file and stop the Carbon server.

  3. Find the Connector configuration corresponding to TLS (usually, this connector has the port set to 9443 and the sslProtocol as TLS). Remove the sslProtocol="TLS" attribute from the above configuration  attribute and replace it with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" as shown below.

    Code Block
    <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
                port="9443"
                bindOnInit="false"
                sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 

  4. Start the server.

    Note

    In some Carbon products, such as WSO2 ESB and WSO2 API Manager, pass-thru transports are enabled. Therefore, to disable SSL in such products, the axis2.xml file stored in the <PRODUCT_HOME>/repository/conf/axis2/ directory should also be configured.

...

  1. Open the <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file.
  2. Make a backup of the catalina-server.xml  file and stop the WSO2 product server.

  3. Add the cipher  attribute to the existing configuration in the catalina-server.xml  file by adding the list of ciphers that you want your server to support as follows: ciphers="<cipher-name>,<cipher-name>". For example,

    Code Block
    For Tomcat version 7.0.59 and JDK version 1.7:
ciphers="SSLTLS_RSAECDHE_WITH_RC4_128_MD5,SSL_RSA_ECDSA_WITH_RC4AES_128_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,
         SSL_DHESHA256,TLS_ECDHE_RSA_WITH_3DESAES_EDE128_CBC_SHASHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHASHA256,TLS_DHEECDHE_RSAECDSA_WITH_AES_128_CBC_SHA,
         TLS_ECDHE_RSA_WITH_AES_256128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256128_CBC_SHA"  

For Tomcat version 7.0.59 and JDK version 1.8:
ciphers="SSLTLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4AES_128_CBC_MD5SHA256,SSLTLS_DHE_RSA_WITH_RC4_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256128_CBC_SHA" ,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
  4. Start the server.

  5. To verify that the configurations are all set correctly, download and run the TestSSLServer.jar.

    Code Block
    $ java -jar TestSSLServer.jar localhost 9443
  6. Note that in the output that you get, the section "Supported cipher suites" does not contain any export ciphers.

Firefox 39.0 onwards does not allow to access Web sites that support DHE with keys less than 1023 bits (not just DHE_EXPORT). 768/1024 bits are considered to be too small and vulnerable to attacks if the hacker has enough computing resources. 

Tip

Tip: To use AES-256, the Java JCE Unlimited Strength Jurisdiction Policy files need to be installed. Downloaded them from http://www.oracle.com/technetwork/java/javase/downloads/index.html.

Tip

Tip: From Java 7, you must set the jdk.certpath.disabledAlgorithms property in the <JAVA_HOME>/jre/lib/security/java.security file to jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048. It rejects all algorithms that have key sizes less than 2048 for MD2, DSA and RSA.

Note

Note that is tip is not applicable when you are disabling weak ciphers in WSO2 Identity Server.