The transport-level security protocol of the Tomcat server is configured in the
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml file. By default, "TLS" is configured as the SSL protocol for HTTPS communication , by setting the sslProtocol="TLS" attribute in the catalinathe
xml file. Specifying TLS as the SSL protocol means ensures that all TLS versions, as well as SSL protocol versions, are supported. However, due to the Poodle Attack, it is necessary to make sure that only TLS protocol versions are enabled.
Note that , in some WSO2 products, such as WSO2 Enterprise Integrator (ESB profile) and WSO2 API Manager, pass-thru transports are enabled. Therefore, to disable SSL in such products, the
axis2.xml file stored in the
<PRODUCT_HOME>/repository/conf/axis2/ directory should also be configured.
Add the following configurations in the
<CARBON_SERVER>/repository/conf/identity/thrift-authentication.xmlfile as sub-elements of the root
Tip: You can also add the following additional cipher suites to the
<Ciphers>property if JCE Unlimited Strength Jurisdiction Policy is enabled in Java.
If you wish to remove
TLSv1.1, you can do so by removing them as values from the
Restart the server.
The TLS protocol is set to TLSv1.0 (by default), in WSO2 products running on JDK 1.7. You cannot configure this using the catalinathe
server.xml file or the
axis2.xml file as we do with products based on JDK 1.7. Therefore, you need to enable TLSv1.1 and TLSv1.2 globally , by setting a system property.
- Download the following JARsartifacts:
- Copy the
-socket-factory-provider-1.0.0.jarfile to the
- Copy the
wso2-ssl-securityfile to the
Open the product startup script (
wso2server.shfor Linux, or
wso2server.batfor Windows), which is stored in the
Add the following system properties to the script:
-Djdk.tls.client.protocols="TLSv1.1,TLSv1.2" \ -Djava.security.properties="$CARBON_HOME/repository/conf/wso2-ssl-security" \
Start the server.
- Open the
- Make a backup of the
axis2.xmlfile and stop the WSO2 product server.
You need to add the
PreferredCiphersparameter under the "Transport Ins (Listeners)" section along with the list of relevant cipher suites.
- Start the server.
Test the pass-through transport using the following command with the corresponding port:
$ java -jar TestSSLServer.jar localhost 8243