This documentation is for WSO2 Carbon 4.2.0. View documentation for the latest release.
Page Comparison - Configuring Transport Level Security (v.4 vs v.5) - Carbon 4.2.0 - WSO2 Documentation

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

You can disable the weak ciphers in the Tomcat server by modifying  cipher  attribute in SSL Connector container in the  catalina-server.xml  file by entering the ciphers that you want your server to support  in a comma-separated list. However, if you do not add the  cipher  attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, and thereby your ciphers will be weak and vulnerable. 

 To disable weak ciphers in a Carbon server:  

  1. Locate the catalina-server.xml file in the <CARBON_HOME>/repository/conf/tomcat directory.
  2. Take a backup of catalina-server.xml file.
  3. Stop the Carbon server.
  4. Add the cipher attribute to the existing configuration, in the catalina-server.xml file with the list of ciphers that you want your server to support.

    ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128
    _CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_
    3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

    For example, once you have   completed the configuration your connector will look as follows:

    Code Block
     <Connector  protocol="org.apache.coyote.http11.Http11NioProtocol"
                    port="9443"
                    bindOnInit="false"
                    sslProtocol="TLS"
                    maxHttpHeaderSize="8192"
                    acceptorThreadCount="2"
                    maxThreads="250"
                    minSpareThreads="50"
                    disableUploadTimeout="false"
                    enableLookups="false"
                    connectionUploadTimeout="120000"
                    maxKeepAliveRequests="200"
                    acceptCount="200"
                    server="WSO2 Carbon Server"
                    clientAuth="false"
                    compression="on"
                    scheme="https"
                    secure="true"
                    SSLEnabled="true"
                    compressionMinSize="2048"
                    noCompressionUserAgents="gozilla, traviata"
                    compressableMimeType="text/html,text/javascript,application/x-        
                    javascript,application/javascript,application/xml,text/css,application/xslt+xml,
                    text/xsl,image/gif,image/jpg,image/jpeg"
                    ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_
                    CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_
                    WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" 
                    keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
                    keystorePass="wso2carbon" 
                    URIEncoding="UTF-8"/>
  5. Save the catalina-server.xml file.
  6. Restart the Carbon server.