This documentation is for WSO2 API Manager 1.7.0 View documentation for the latest release.
Fixing Security Vulnerabilities - API Manager 1.7.0 - WSO2 Documentation

All docs This doc
||
Skip to end of metadata
Go to start of metadata

cipher is an algorithm for performing encryption or decryption. You can disable the weak ciphers in the Tomcat server by modifying the cipher attribute in the SSL Connector container, which is in the catalina-server.xml file. Enter the ciphers that you want your server to support in a comma-separated list. By default, all ciphers, whether they are strong or weak, will be enabled. However, if you do not add the cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server. This will enable the weak ciphers.

The steps below explain how to disable weak and enable strong ciphers in a product:

  1. Take a backup of <PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file.
  2. Stop the server.
  3. Add the cipher attribute to the existing configuration in the catalina-server.xml file with the list of ciphers that you want your server to support as follows:

    ciphers="<cipher-name>,<cipher-name>"

    The code below shows how a connector looks after an example configuration is done:

     <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
                    port="9443"
                    bindOnInit="false"
                    sslProtocol="TLS"
                    maxHttpHeaderSize="8192"
                    acceptorThreadCount="2"
                    maxThreads="250"
                    minSpareThreads="50"
                    disableUploadTimeout="false"
                    enableLookups="false"
                    connectionUploadTimeout="120000"
                    maxKeepAliveRequests="200"
                    acceptCount="200"
                    server="WSO2 Carbon Server"
                    clientAuth="false"
                    compression="on"
                    scheme="https"
                    secure="true"
                    SSLEnabled="true"
                    compressionMinSize="2048"
                    noCompressionUserAgents="gozilla, traviata"
                    compressableMimeType="text/html,text/javascript,application/x-        
                    javascript,application/javascript,application/xml,text/css,application/xslt+xml,
                    text/xsl,image/gif,image/jpg,image/jpeg"
                    ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
                    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
                    keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
                    keystorePass="wso2carbon" 
                    URIEncoding="UTF-8"/>
  4. Save the catalina-server.xml file.

  5. Restart the server.
  • No labels