WCC: Disable Weak Ciphers in SSL Mode

Document created by Mark_Hanson Employee on Mar 6, 2015Last modified by Mark_Hanson Employee on Mar 31, 2017
Version 10Show Document
  • View in full screen mode

The following procedure describes how to disable weak ciphers in CA WCC in SSL mode.

 

Note:

 

  • Browsers that do not support secure encryption, and those that have secure encryption disabled, will be denied access to CA WCC.
  • You can change the list of ciphers based on your requirements.

 

Follow these steps:

1. Open the server.xml file in a text editor.

WINDOWS:

%CA_WCC_INSTALL_LOCATION%\tomcat\conf\server.xml

UNIX:

$CA_WCC_INSTALL_LOCATION/tomcat/conf/server.xml

2. Locate the <Connector .../> XML element.

3. Insert the following attribute appropriate for your WCC version:

 

WCC 11.4 SP1+

ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,

TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,

TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,

TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,

TLS_RSA_WITH_AES_256_CBC_SHA"

 

WCC 11.3.6

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,

TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,

TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

 

        The <Connector .../> XML element should display as follows:

        NOTE: "..." illustrates other attributes

<Connector ...

...

compression="on"

keyPass="changeit"

keyAlias="tomcat"

compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript"

server="WCC"

ciphers="TLS_ECDHE_RSA_WITH_AES_...,…,…,…,…"/>

 

4. Restart the CA WCC services.

 

IMPORTANT: The ciphers line is all one contiguous line including the element closing tag (/>). Ensure that each cipher is specified without any spaces in between.

NOTE: To be able to use the 256 bit AES Ciphers, the JCE Unlimited Strength Jurisdiction Policy Files appropriate to the Java version (see table below) must be installed (for improved security).

 

Once ciphers are applied and fully configured they can be verified via the browser or using a current version of openssl. For example:

 

WCC 11.3.6

openssl s_client –connect <host>:8443 –tls1

… Cipher is AES256-SHA

 

WCC 11.4 SP1+

openssl s_client –connect <host>:8443 –tls1

… Cipher is DHE-RSA-AES256-SHA

 

To increase the public key size add the following Java parameter to <WorkloadCC>/tomcat/conf/wrapper.conf

# Java Additional Parameters

wrapper.java.additional.15=-Djdk.tls.ephemeralDHKeySize=2048

 

This parameter only works with Java 8 or later.

To verify run the following command using openssl 1.0.2 or later:

openssl s_client –connect <host>:8443 –cipher “EDH” | grep –ie “Server .* key”



NOTE: Advanced ciphers are not compatible with WCC / Java versions prior to 11.3 / 1.6.

 

This table is provided as a convenient reference to Java and Tomcat versions shipped with WCC.

WCC Version

Java Version

Tomcat Version

JCE Link
11.4 SP1+1.8.0_31-b137.0.54.0JCE 8
11.3.61.7.0_17-b027.0.37.0JCE 7
11.3.51.6.0_33-b047.0.22.0JCE 6
11.3 SP11.6.0_45-b066.0.28.0JCE 6
11.1 SP41.5.0_13-b056.0.28.0n / a
1 person found this helpful

Attachments

    Outcomes