AEWS: Disable Weak Ciphers

Document created by Mark_Hanson Employee on Oct 16, 2015
Version 1Show Document
  • View in full screen mode

The following procedure describes how to disable weak ciphers in the CA WAAE Web Server (AEWS).

 

NOTE:

  • Browsers that do not support secure encryption, and those that have secure encryption disabled, will be denied access to CA AEWS.
  • You can change the list of ciphers based on your requirements.

 

Follow these steps:

1. Open the server.xml file in a text editor.

WINDOWS:

%AUTOUSER%\webserver\conf\server.xml

UNIX:

$AUTOUSER/webserver/conf/server.xml

2. Locate the <Connector .../> XML element.

3. Add attribute:

sslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1”

4. Insert the following attribute appropriate for your AE version:

 

AEWS 11.3.6 SP2

ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,

TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,

TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,

TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,

TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"

 

AEWS 11.3.6

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,

TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,

TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

 

        The <Connector .../> XML element should display as follows:

        NOTE: "..." illustrates other attributes

<Connector port=”9443”...

...

keyPass="changeit"

maxThreads=”400” scheme=”https” secure=”true”

clientAuth=”false” sslProtocol=”TLS”

sslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1”

ciphers="TLS_ECDHE_RSA_WITH_AES_...,…,…,…,…"/>

 

5. Restart the CA AEWS service.


IMPORTANT: The ciphers line is all one contiguous line including the element closing tag (/>). Ensure that each cipher is specified without any spaces in between.

NOTE: To be able to use the 256 bit AES Ciphers, the JCE Unlimited Strength Jurisdiction Policy Files appropriate to the Java version (see table below) must be installed (for improved security).

 

Once ciphers are applied and fully configured they can be verified via the browser or using a current version of openssl. For example:

 

AEWS 11.3.6 SP2

openssl s_client –connect <host>:9443 –tls1_2

… Cipher: ECDHE-RSA-AES256-GCM-SHA384

 

AEWS 11.3.6

openssl s_client –connect <host>:9443 –tls1_2

… Cipher: ECSHE-RSA-AES256-SHA384

 

To increase the public key size add the following Java parameter to:

WINDOWS:

%AUTOUSER%\webserver\conf\wrapper.conf

UNIX:

$AUTOUSER/webserver/conf/wrapper.conf

 

# Java Additional Parameters

wrapper.java.additional.9=-Djdk.tls.ephemeralDHKeySize=2048

 

This parameter only works with Java 8 or later.

To verify run the following command using openssl 1.0.2 or later:

openssl s_client –connect <host>:8443 –cipher “EDH” | grep –ie “Server .* key”



NOTE: Advanced ciphers are not compatible with AEWS/Java versions prior to 11.3.6/1.7.

 

This table is provided as a convenient reference to Java and Tomcat versions shipped with AEWS.

 

AE Version

Java Version

Tomcat Version

11.3.6 SP2

1.8.0_45-b14

8.0.22.0

11.3.61.7.0_17-b027.0.37.0
1 person found this helpful

Attachments

    Outcomes