The following procedure describes how to disable weak ciphers in CA WCC in SSL mode.
- Browsers that do not support secure encryption, and those that have secure encryption disabled, will be denied access to CA WCC.
- You can change the list of ciphers based on your requirements.
Follow these steps:
1. Open the server.xml file in a text editor.
WINDOWS:
%CA_WCC_INSTALL_LOCATION%\tomcat\conf\server.xml
UNIX:
$CA_WCC_INSTALL_LOCATION/tomcat/conf/server.xml
2. Locate the <Connector .../> XML element.
3. Insert the following attribute appropriate for your WCC version:
WCC 11.4 SP1+
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA" |
WCC 11.3.6
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" |
The <Connector .../> XML element should display as follows:
NOTE: "..." illustrates other attributes
<Connector ... ... compression="on" keyPass="changeit" keyAlias="tomcat" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript" server="WCC" ciphers="TLS_ECDHE_RSA_WITH_AES_...,…,…,…,…"/> |
4. Restart the CA WCC services.
IMPORTANT: The ciphers line is all one contiguous line including the element closing tag (/>). Ensure that each cipher is specified without any spaces in between.
NOTE: To be able to use the 256 bit AES Ciphers, the JCE Unlimited Strength Jurisdiction Policy Files appropriate to the Java version (see table below) must be installed (for improved security).
Once ciphers are applied and fully configured they can be verified via the browser or using a current version of openssl. For example:
WCC 11.3.6
openssl s_client –connect <host>:8443 –tls1
…
… Cipher is AES256-SHA
WCC 11.4 SP1+
openssl s_client –connect <host>:8443 –tls1
…
… Cipher is DHE-RSA-AES256-SHA
To increase the public key size add the following Java parameter to <WorkloadCC>/tomcat/conf/wrapper.conf
# Java Additional Parameters
…
wrapper.java.additional.15=-Djdk.tls.ephemeralDHKeySize=2048
This parameter only works with Java 8 or later.
To verify run the following command using openssl 1.0.2 or later:
openssl s_client –connect <host>:8443 –cipher “EDH” | grep –ie “Server .* key”
NOTE: Advanced ciphers are not compatible with WCC / Java versions prior to 11.3 / 1.6.
This table is provided as a convenient reference to Java and Tomcat versions shipped with WCC.
WCC Version | Java Version | Tomcat Version | JCE Link |
11.4 SP1+ | 1.8.0_31-b13 | 7.0.54.0 | JCE 8 |
11.3.6 | 1.7.0_17-b02 | 7.0.37.0 | JCE 7 |
11.3.5 | 1.6.0_33-b04 | 7.0.22.0 | JCE 6 |
11.3 SP1 | 1.6.0_45-b06 | 6.0.28.0 | JCE 6 |
11.1 SP4 | 1.5.0_13-b05 | 6.0.28.0 | n / a |