Enhance AhsayCBS Security: TLS, PFS, HSTS, Strong Cipher
Article ID
Last Reviewed Date
Product Version
Operating System
Description
This Know-How article outlines how to improve security of connection to AhsayCBS by:
- Usage of strong cipher and TLS protocol
- Support of perfect forward secrecy
- Usage of HSTS
Solution
Change the TLS settings
Browse to the following path on the AhsayCBS server:
%AhsayCBS_Installation_Home%/conf
Open the server.xml file with a text editor.
- - <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000"> <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="+TLSv1+TLSv1.1+TLSv1.2" certificateVerification="false" certificateVerificationDepth="10"> -
Edit the line from
protocols="+TLSv1+TLSv1.1+TLSv1.2"
to
protocols="+TLSv1.2"
- - <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000"> <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10"> -
Change the cipher settings
Browse to the following path on the AhsayCBS server:
%AhsayCBS_Installation_Home%/conf
Open the server.xml file with a text editor.
- - <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000"> <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10"> -
Option 1 - For AhsayCBS server with version 7, 8 and 9 backup clients:
Edit the line from
ciphers="HIGH:!aNULL:!MD5"
to
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
- - <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000"> <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10"> -
Option 2 - For AhsayCBS server with version 8 and 9 backup clients only (DO NOT use this option if there is version 7 AhsayOBM / AhsayACB client connecting to your AhsayCBS):
Edit the line from
ciphers="HIGH:!aNULL:!MD5"
to
ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
- - <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000"> <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10"> -
Enable HTTP Strict-Transport-Security (HSTS)
Browse to the following paths on the AhsayCBS server:
%AhsayCBS_Installation_Home%\webapps\ROOT\WEB-INF and %AhsayCBS_Installation_Home%\webapps\cbs\WEB-INF
Open the web.xml file with a text editor and add the following:
For v8
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
For v9, insert the following after the <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> line.
<async-supported>true</async-supported> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param>
There are multiple web.xml files in AhsayCBS, for ultra security, add to all web.xml under %AhsayCBS_Installation_Home%\webapps.