The following procedure describes how to disable weak ciphers in the CA WAAE Web Server (AEWS).
NOTE:
- Browsers that do not support secure encryption, and those that have secure encryption disabled, will be denied access to CA AEWS.
- You can change the list of ciphers based on your requirements.
Follow these steps:
1. Open the server.xml file in a text editor.
WINDOWS:
%AUTOUSER%\webserver\conf\server.xml
UNIX:
$AUTOUSER/webserver/conf/server.xml
2. Locate the <Connector .../> XML element.
3. Add attribute:
sslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1”
4. Insert the following attribute appropriate for your AE version:
AEWS 11.3.6 SP2
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA" |
AEWS 11.3.6
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" |
The <Connector .../> XML element should display as follows:
NOTE: "..." illustrates other attributes
<Connector port=”9443”... ... keyPass="changeit" maxThreads=”400” scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” sslEnabledProtocols=”TLSv1.2,TLSv1.1,TLSv1” ciphers="TLS_ECDHE_RSA_WITH_AES_...,…,…,…,…"/> |
5. Restart the CA AEWS service.
IMPORTANT: The ciphers line is all one contiguous line including the element closing tag (/>). Ensure that each cipher is specified without any spaces in between.
NOTE: To be able to use the 256 bit AES Ciphers, the JCE Unlimited Strength Jurisdiction Policy Files appropriate to the Java version (see table below) must be installed (for improved security).
Once ciphers are applied and fully configured they can be verified via the browser or using a current version of openssl. For example:
AEWS 11.3.6 SP2
openssl s_client –connect <host>:9443 –tls1_2
…
… Cipher: ECDHE-RSA-AES256-GCM-SHA384
AEWS 11.3.6
openssl s_client –connect <host>:9443 –tls1_2
…
… Cipher: ECSHE-RSA-AES256-SHA384
To increase the public key size add the following Java parameter to:
WINDOWS:
%AUTOUSER%\webserver\conf\wrapper.conf
UNIX:
$AUTOUSER/webserver/conf/wrapper.conf
# Java Additional Parameters
…
wrapper.java.additional.9=-Djdk.tls.ephemeralDHKeySize=2048
This parameter only works with Java 8 or later.
To verify run the following command using openssl 1.0.2 or later:
openssl s_client –connect <host>:8443 –cipher “EDH” | grep –ie “Server .* key”
NOTE: Advanced ciphers are not compatible with AEWS/Java versions prior to 11.3.6/1.7.
This table is provided as a convenient reference to Java and Tomcat versions shipped with AEWS.
AE Version | Java Version | Tomcat Version |
11.3.6 SP2 | 1.8.0_45-b14 | 8.0.22.0 |
11.3.6 | 1.7.0_17-b02 | 7.0.37.0 |