Sean's i/o Stream

Musings-as-a-Service

Disabling Weak SSL encryption on CLM Tomcat 5/7

  • October 15, 2012
  •   category: ibm
  • tags: java, tomcat, security

If you start hosting your solution in Tomcat chances are your IT department will scan your machine for security vulnerabilities. Hosting in Tomcat directly is far from ideal for various reasons, but since this is the real world I understand and am not here to judge.

One scan you will probably fail is something like: Web Server Supports Weak SSL Encryption Certificates/Ciphers

Depending you your security tools this will have a different name but the underlying issue is the out of the box support for weak encryption by Tomcat.

The Fix:

Open up your Tomcat server.xml, somewhere like /opt/IBM/JazzTeamServer/server/tomcat/conf, find your SSL connector definition and we want to add a new attribute ciphers1 to the connector.

<Connector port="443"
    ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, 
                  TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                  TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
                  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
           connectionTimeout="20000"
           maxHttpHeaderSize="8192"
           maxThreads="150"
           minSpareThreads="25"
           enableLookups="false"
           disableUploadTimeout="true"
           acceptCount="100"
           scheme="https"
           secure="true"
           clientAuth="false"
           keystoreFile="ibm-team-ssl.keystore"
           keystorePass="XXX"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           sslProtocol="${jazz.connector.sslProtocol}"
           algorithm="${jazz.connector.algorithm}"
           URIEncoding="UTF-8" />
Reference:
Back to Top