User Tools

Site Tools

You are here: Ahsay Wiki » Welcome to AhsayWiki » 8116_faq » [V8] FAQ: How to improve security of connection to AhsayCBS (Strong Cipher, TLS protocol and PFS)
public:8116_faq:how_to_improve_security_of_connection_to_cbs

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Last revision Both sides next revision
public:8116_faq:how_to_improve_security_of_connection_to_cbs [2021/04/30 17:26]
edward.chan created 		public:8116_faq:how_to_improve_security_of_connection_to_cbs [2021/05/04 15:36]
edward.chan
Line 6: Line 6:
  <​br/>​  <​br/>​
  <​b>​  <​b>​
-  Reviewed:</​b> ​30/04/2021+  Reviewed:</​b>​ 04/05/2021
  <​br/>​  <​br/>​
  <​br/>​  <​br/>​
Line 28: Line 28:
 </ul> </ul>
  
-<font color=red>​Important: ​Only perform the following steps if you have no version 6 AhsayOBM / ACB client connecting to your AhsayCBS ​server.</​font>​+<font color=red>​Important: ​You can only perform the following steps if you DO NOT have any version 6 AhsayOBM / ACB client connecting to your CBS server.</​font>​
 </​html>​ </​html>​
  
Line 37: Line 37:
 <br> <br>
 <ul> <ul>
-<​li><​font color=black>​To change ​the HTTPS connection to TLSv1.2 only:+<​li><​font color=black>​<​b>​Change ​the TLS setting</​b>​:
 <br> <br>
 <br> <br>
Line 82: Line 82:
  
  
-<​li><​font color=black>​Edit the line from <font color=red>​protocols="​TLSv1+TLSv1.1+TLSv1.2"</​font>​ to <font color=red>​protocols="​TLSv1.2"</​font>:​+<​li><​font color=black>​Edit the line from  
 +<​br><​br>​ 
 +<font color=red>​protocols="​TLSv1+TLSv1.1+TLSv1.2"</​font> ​ 
 +<​br><​br>​ 
 +to  
 +<​br><​br>​ 
 +<font color=red>​protocols="​TLSv1.2"</​font>:​
 <br> <br>
 <br> <br>
Line 112: Line 118:
     </tr>     </tr>
    </​table>​    </​table>​
 +   </​font></​li>​
 +   </​ol>​
 +   <​br>​
 +
 +
 +<​li><​font color=black><​b>​Change the cipher settings</​b>:​
 +<br>
 +<br>
 +<ol>
 +<​li><​font color=black>​Browse to the following path on the AhsayCBS server:
 +<br>
 +<br>
 +%CBS_Installation_Home%/​conf
 +</​font></​li>​
 +<br>
 +
 +
 +<​li><​font color=black>​Open the server.xml file with a text editor:
 +<br>
 +<br>
 +   <​table border="​0"​ cellpadding="​0"​ cellspacing="​0"​ width="​90%">​
 +    <tr>
 +     <​td align="​center"​ style="​BORDER-TOP:​ gray 1pt solid; BORDER-LEFT:​ gray 1pt solid; BORDER-RIGHT:​ gray 1pt solid; BORDER-BOTTOM:​ gray 1pt solid; BACKGROUND-COLOR:​ #​f7931e">​
 +      <font size=1.5>​server.xml</​font>​
 +     </​td>​
 +    </tr>
 +    <tr>
 +     <​td style="​BORDER-LEFT:​ gray 1pt solid; BORDER-RIGHT:​ gray 1pt solid; BORDER-BOTTOM:​ gray 1pt solid; BACKGROUND-COLOR:​ #​FFFFFF"><​p style="​font-family:​courier;">​
 +<font size=1.5>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​…<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​…<​br>​
 +
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​lt;​Connector maxKeepAliveRequests="​9999"​ keepAliveTimeout="​30000"​ address="​0.0.0.0"​ scheme="​https"​ enableLookups="​false"​ socket.txBufSize="​43800"<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​connectionUploadTimeout="​900000"​ acceptCount="​200"​ secure="​true"​ URIEncoding="​utf-8"​ sendReasonPhrase="​true"​ protocol="​org.apache.<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​maxHttpHeaderSize="​8192"​ redirectPort="​443"​ executor="​tomcatThreadPool-https-0.0.0.0-443"​ disableUploadTimeout="​false"​ coyote.<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​http11.Http11NioProtocol"​ SSLEnabled="​true"​ port="​443"​ socket.rxBufSize="​25188"​ connectionTimeout="​10000"​ maxConnections="​500"&​gt;<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp; ​
 +
 +&​nbsp;&​nbsp;&​nbsp;&​lt;​SSLHostConfig disableCompression="​true"​ caCertificateFile="​${catalina.base}/​conf/​ca.crt"​ insecureRenegotiation="​false"<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;​honorCipherOrder="​false"​ <font color=red>​ciphers="​HIGH:​!aNULL:​!MD5"</​font>​ disableSessionTickets="​false"​ protocols="​TLSv1.2"<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;​certificateVerification="​false"​ certificateVerificationDepth="​10"&​gt;<​br>​
 +   ​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;​… ​
 +   </​font>​
 +     </​td>​
 +    </tr>
 +   </​table>​
 +
 +<ul>
 +<​li><​font color=black>​Option 1 - For AhsayCBS server with version 7 and 8 backup clients:
 +<br>
 +<br>
 +Edit the line from
 +<​br><​br>​
 +<font color=red>​ciphers="​HIGH:​!aNULL:​!MD5"</​font>​
 +<​br><​br>​
 +to
 +<​br><​br>​
 +<font color=red>​ciphers="​TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,​TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,​TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,​TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,​TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"</​font>​
 +<br>
 +<br>
 +
 +   <​table border="​0"​ cellpadding="​0"​ cellspacing="​0"​ width="​95%">​
 +    <tr>
 +     <​td align="​center"​ style="​BORDER-TOP:​ gray 1pt solid; BORDER-LEFT:​ gray 1pt solid; BORDER-RIGHT:​ gray 1pt solid; BORDER-BOTTOM:​ gray 1pt solid; BACKGROUND-COLOR:​ #​f7931e">​
 +      <font size=1.5>​server.xml</​font>​
 +     </​td>​
 +    </tr>
 +    <tr>
 +     <​td style="​BORDER-LEFT:​ gray 1pt solid; BORDER-RIGHT:​ gray 1pt solid; BORDER-BOTTOM:​ gray 1pt solid; BACKGROUND-COLOR:​ #​FFFFFF"><​p style="​font-family:​courier;">​
 +<font size=1.5>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​…<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​…<​br>​
 +
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​lt;​Connector maxKeepAliveRequests="​9999"​ keepAliveTimeout="​30000"​ address="​0.0.0.0"​ scheme="​https"​ enableLookups="​false"​ socket.txBufSize="​43800"<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​connectionUploadTimeout="​900000"​ acceptCount="​200"​ secure="​true"​ URIEncoding="​utf-8"​ sendReasonPhrase="​true"​ protocol="​org.apache.<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​maxHttpHeaderSize="​8192"​ redirectPort="​443"​ executor="​tomcatThreadPool-https-0.0.0.0-443"​ disableUploadTimeout="​false"​ coyote.<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​http11.Http11NioProtocol"​ SSLEnabled="​true"​ port="​443"​ socket.rxBufSize="​25188"​ connectionTimeout="​10000"​ maxConnections="​500"&​gt;<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp; ​
 +
 +&​nbsp;&​nbsp;&​nbsp;&​lt;​SSLHostConfig disableCompression="​true"​ caCertificateFile="​${catalina.base}/​conf/​ca.crt"​ insecureRenegotiation="​false"<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;​honorCipherOrder="​false"​ <font color=red>​ciphers="​TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,​TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;​TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,​TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,​TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"</​font><​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;​disableSessionTickets="​false"​ protocols="​TLSv1.2"​ certificateVerification="​false"​ certificateVerificationDepth="​10"&​gt;<​br>​
 +   ​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;​… ​
 +   </​font>​
 +     </​td>​
 +    </tr>
 +   </​table>​
 +
 +
 +
 +
 +</​font></​li>​
 +<br>
 +
 +
 +<​li><​font color=black>​Option 2 -  For AhsayCBS server with version 8 backup clients only (DO NOT use this option if there is version 7 AhsayOBM / ACB client connecting to your CBS):
 +<br>
 +<br>
 +Edit the line from
 +<​br><​br>​
 +<font color=red>​ciphers="​HIGH:​!aNULL:​!MD5"</​font> ​
 +<​br><​br>​
 +to
 +<​br><​br>​
 +<font color=red>​ciphers="​TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,​TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,​TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"</​font>​
 +<br>
 +<br>
 +
 +   <​table border="​0"​ cellpadding="​0"​ cellspacing="​0"​ width="​95%">​
 +    <tr>
 +     <​td align="​center"​ style="​BORDER-TOP:​ gray 1pt solid; BORDER-LEFT:​ gray 1pt solid; BORDER-RIGHT:​ gray 1pt solid; BORDER-BOTTOM:​ gray 1pt solid; BACKGROUND-COLOR:​ #​f7931e">​
 +      <font size=1.5>​server.xml</​font>​
 +     </​td>​
 +    </tr>
 +    <tr>
 +     <​td style="​BORDER-LEFT:​ gray 1pt solid; BORDER-RIGHT:​ gray 1pt solid; BORDER-BOTTOM:​ gray 1pt solid; BACKGROUND-COLOR:​ #​FFFFFF"><​p style="​font-family:​courier;">​
 +<font size=1.5>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​…<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​…<​br>​
 +
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​lt;​Connector maxKeepAliveRequests="​9999"​ keepAliveTimeout="​30000"​ address="​0.0.0.0"​ scheme="​https"​ enableLookups="​false"​ socket.txBufSize="​43800"<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​connectionUploadTimeout="​900000"​ acceptCount="​200"​ secure="​true"​ URIEncoding="​utf-8"​ sendReasonPhrase="​true"​ protocol="​org.apache.<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​maxHttpHeaderSize="​8192"​ redirectPort="​443"​ executor="​tomcatThreadPool-https-0.0.0.0-443"​ disableUploadTimeout="​false"​ coyote.<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;​http11.Http11NioProtocol"​ SSLEnabled="​true"​ port="​443"​ socket.rxBufSize="​25188"​ connectionTimeout="​10000"​ maxConnections="​500"&​gt;<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp; ​
 +
 +&​nbsp;&​nbsp;&​nbsp;&​lt;​SSLHostConfig disableCompression="​true"​ caCertificateFile="​${catalina.base}/​conf/​ca.crt"​ insecureRenegotiation="​false"<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;​honorCipherOrder="​false"​ <font color=red>​ciphers="​TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,​TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,<​br>​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;​TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"</​font>​ disableSessionTickets="​false"​ protocols="​TLSv1.2"​ certificateVerification="​false"​ <br>
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;​certificateVerificationDepth="​10"&​gt;<​br>​
 +   ​
 +&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;&​nbsp;​… ​
 +   </​font>​
 +     </​td>​
 +    </tr>
 +   </​table></​font></​li>​
 +</ul>
 +
 +</​font></​li>​
 +</ul>
 +
  
  
Line 117: Line 267:
  
  
 +      ​
 +      ​
 +      ​
  
 </​html>​ </​html>​
public/8116_faq/how_to_improve_security_of_connection_to_cbs.txt · Last modified: 2021/12/14 10:45 by anna.olalia

Page Tools