How to improve security of connection to AhsayCBS (Strong Cipher, TLS protocol, PFS and HSTS)

How to improve security of connection to AhsayCBS (Strong Cipher, TLS protocol, PFS and HSTS)

Article ID
5014
Last Reviewed Date
Product Version
AhsayCBS: 8.1 or above
Operating System
All Platforms
Description

This Know-How article outlines how to improve security of connection to AhsayCBS by:

  • Usage of strong cipher and TLS protocol
  • Support of perfect forward secrecy
  • Usage of HSTS
You can only perform the following steps if you DO NOT have any version 6 AhsayOBM / AhsayACB client connecting to your AhsayCBS server.
Solution

Change the TLS settings

  1. Browse to the following path on the AhsayCBS server:

    %AhsayCBS_Installation_Home%/conf

  2. Open the server.xml file with a text editor.

    -
-
<Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
<SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="+TLSv1+TLSv1.1+TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
-

  3. Edit the line from

    protocols="+TLSv1+TLSv1.1+TLSv1.2"

    to

    protocols="+TLSv1.2"

    -
-
<Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
<SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
-
Doing the above steps are not needed for AhsayCBS v9.1 or above since TLSv1.2 is supported.

Change the cipher settings

  1. Browse to the following path on the AhsayCBS server:

    %AhsayCBS_Installation_Home%/conf

  2. Open the server.xml file with a text editor.

    -
-
<Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
<SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="HIGH:!aNULL:!MD5" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
-

    • Option 1 - For AhsayCBS server with version 7, 8 and 9 backup clients:

      Edit the line from

      ciphers="HIGH:!aNULL:!MD5"

      to

      ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"

      -
-
<Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
<SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
-

    • Option 2 - For AhsayCBS server with version 8 and 9 backup clients only (DO NOT use this option if there is version 7 AhsayOBM / AhsayACB client connecting to your AhsayCBS):

      Edit the line from

      ciphers="HIGH:!aNULL:!MD5"

      to

      ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"

      -
-
<Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800" connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" port="443" maxHttpHeaderSize="8192" executor="tomcatThreadPool-https-0.0.0.0-443" redirectPort="443" disableUploadTimeout="false" socket.rxBufSize="25188" connectionTimeout="30000" maxConnections="10000">
<SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false" honorCipherOrder="false" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10">
-

Enable HTTP Strict-Transport-Security (HSTS)

  1. Browse to the following paths on the AhsayCBS server:

    %AhsayCBS_Installation_Home%\webapps\ROOT\WEB-INF and %AhsayCBS_Installation_Home%\webapps\cbs\WEB-INF

  2. Open the web.xml file with a text editor and add the following:

    For v8

    <filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

    For v9, insert the following after the <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> line.

    <async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
    There are multiple web.xml files in AhsayCBS, for ultra security, add to all web.xml under %AhsayCBS_Installation_Home%\webapps.