Strengthening AhsayCBS Security: TLS, PFS, HSTS, Strong Cipher

Strengthening AhsayCBS Security: TLS, PFS, HSTS, Strong Cipher

Article ID
5014
Last Reviewed Date
Product Version
AhsayCBS: 8.1 or above
Operating System
All Platforms
Description

This Know-How article outlines how to improve security of connection to AhsayCBS by:

  • Usage of strong cipher and TLS protocol
  • Support of perfect forward secrecy
  • Usage of HSTS
You can only perform the following steps if you DO NOT have any version 6 AhsayOBM / AhsayACB client connecting to your AhsayCBS server.
Solution

Change the TLS settings

  1. Browse to the following path on the AhsayCBS server:

    %AhsayCBS_Installation_Home%/conf

  2. Open the server.xml file with a text editor.

    -
-
<Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
<SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="+TLSv1+TLSv1.1+TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
-

  3. Edit the line from

    protocols="+TLSv1+TLSv1.1+TLSv1.2"

    to

    protocols="+TLSv1.2"

    -
-
<Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
<SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
-
Doing the above steps are not needed for AhsayCBS v9.1 or above since TLSv1.2 is supported.

Change the cipher settings

  1. Browse to the following path on the AhsayCBS server:

    %AhsayCBS_Installation_Home%/conf

  2. Open the server.xml file with a text editor.

    -
-
<Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
<SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
-

    • Option 1 - For AhsayCBS server with version 7, 8 and 9 backup clients:

      Edit the line from

      ciphers="HIGH:!aNULL:!MD5"

      to

      ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"

      -
-
<Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
<SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
-

    • Option 2 - For AhsayCBS server with version 8 and 9 backup clients only (DO NOT use this option if there is version 7 AhsayOBM / AhsayACB client connecting to your AhsayCBS):

      Edit the line from

      ciphers="HIGH:!aNULL:!MD5"

      to

      ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"

      -
-
<Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
<SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
-

Enable HTTP Strict-Transport-Security (HSTS)

  1. Browse to the following paths on the AhsayCBS server:

    %AhsayCBS_Installation_Home%\webapps\ROOT\WEB-INF and %AhsayCBS_Installation_Home%\webapps\cbs\WEB-INF

  2. Open the web.xml file with a text editor and add the following:

    For v8

    <filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

    For v9, insert the following after the <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> line.

    <async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
    There are multiple web.xml files in AhsayCBS, for ultra security, add to all web.xml under %AhsayCBS_Installation_Home%\webapps.