Skip to main content

Enhance AhsayCBS Security: TLS, PFS, HSTS, Strong Cipher

Article ID

5014

Last Reviewed Date

Product Version

AhsayCBS: 8.1 or above

Operating System

All Platforms

Description

This Know-How article outlines how to improve security of connection to AhsayCBS by:

  • Usage of strong cipher and TLS protocol
  • Support of perfect forward secrecy
  • Usage of HSTS
You can only perform the following steps if you DO NOT have any version 6 AhsayOBM / AhsayACB client connecting to your AhsayCBS server.

Solution

Change the TLS settings

  1. Browse to the following path on the AhsayCBS server:

    %AhsayCBS_Installation_Home%/conf

  2. Open the server.xml file with a text editor.

    -
    -
    <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
    <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="+TLSv1+TLSv1.1+TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
    -
    
  3. Edit the line from

    protocols="+TLSv1+TLSv1.1+TLSv1.2"

    to

    protocols="+TLSv1.2"

    -
    -
    <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
    <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
    -
Doing the above steps are not needed for AhsayCBS v9.1 or above since TLSv1.2 is supported.

Change the cipher settings

  1. Browse to the following path on the AhsayCBS server:

    %AhsayCBS_Installation_Home%/conf

  2. Open the server.xml file with a text editor.

    -
    -
    <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
    <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
    -
    • Option 1 - For AhsayCBS server with version 7, 8 and 9 backup clients:

      Edit the line from

      ciphers="HIGH:!aNULL:!MD5"

      to

      ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"

      -
      -
      <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
      <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
      -
    • Option 2 - For AhsayCBS server with version 8 and 9 backup clients only (DO NOT use this option if there is version 7 AhsayOBM / AhsayACB client connecting to your AhsayCBS):

      Edit the line from

      ciphers="HIGH:!aNULL:!MD5"

      to

      ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"

      -
      -
      <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
      <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
      -

Enable HTTP Strict-Transport-Security (HSTS)

  1. Browse to the following paths on the AhsayCBS server:

    %AhsayCBS_Installation_Home%\webapps\ROOT\WEB-INF and %AhsayCBS_Installation_Home%\webapps\cbs\WEB-INF

  2. Open the web.xml file with a text editor and add the following:

    For v8

    <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
    </init-param>
    <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
    </init-param>
    <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
    </init-param>
    </filter>
    <filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    </filter-mapping>

    For v9, insert the following after the <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> line.

    <async-supported>true</async-supported>
    <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
    </init-param>
    <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
    </init-param>
    <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
    </init-param>
    There are multiple web.xml files in AhsayCBS, for ultra security, add to all web.xml under %AhsayCBS_Installation_Home%\webapps.