This documentation is for WSO2 Carbon 4.2.0. View documentation for the latest release.
Enable Strong Ciphers for Enhanced Security - Carbon 4.2.0 - WSO2 Documentation
Carbon 4.2.0
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

A cipher is an algorithm for performing encryption or decryption. You have the option of disabling the weak ciphers in the Tomcat server by modifying the SSL Connector container in the catalina-server.xml file. Note that the ssLprotocol attribute is set to "TLS" by default, which ensures that only the TLS and default ciphers are enabled. Also, by default, all ciphers will be enabled regardless of whether they are strong or weak. Therefore, to disable the weak ciphers, you must ensure that only the ciphers you want your server to support are entered for the ciphers attribute in a comma-separated list. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, thereby enabling the weak ciphers.

To enable only the strong ciphers in a Carbon server:

  1. Locate the catalina-server.xml file in the <CARBON_HOME>/repository/conf/tomcat directory.
  2. Take a backup of catalina-server.xml file.
  3. Stop the Carbon server.
  4. In the catalina-server.xml file, the sslProtocol is "TLS" by default. If you want SSL ciphers to be enabled instead of TLS, change this value to "SSL":
    sslProtocol="SSL"

  5. Add the cipher attribute to the existing configuration in the catalina-server.xml file by adding the list of ciphers that you want your server to support as follows:

    ciphers="<cipher-name>,<cipher-name>"

    For example, once you have completed the configuration, your connector will look as follows:

     <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
                port="9443"
                bindOnInit="false"
                sslProtocol="TLS"
                maxHttpHeaderSize="8192"
                acceptorThreadCount="2"
                maxThreads="250"
                minSpareThreads="50"
                disableUploadTimeout="false"
                enableLookups="false"
                connectionUploadTimeout="120000"
                maxKeepAliveRequests="200"
                acceptCount="200"
                server="WSO2 Carbon Server"
                clientAuth="false"
                compression="on"
                scheme="https"
                secure="true"
                SSLEnabled="true"
                compressionMinSize="2048"
                noCompressionUserAgents="gozilla, traviata"
                compressableMimeType="text/html,text/javascript,application/x-        
                javascript,application/javascript,application/xml,text/css,application/xslt+xml,
                text/xsl,image/gif,image/jpg,image/jpeg"
                ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
                TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
                keystoreFile="${carbon.home}/repository/resources/security/wso2carbon.jks"
                keystorePass="wso2carbon" 
                URIEncoding="UTF-8"/>
  6. Save the catalina-server.xml file.
  7. Restart the Carbon server.
  • No labels