This shows you the differences between two versions of the page.
Last revision Both sides next revision | |||
public:8116_faq:how_to_improve_security_of_connection_to_cbs [2021/04/30 17:26] edward.chan created |
public:8116_faq:how_to_improve_security_of_connection_to_cbs [2021/05/04 15:36] edward.chan |
||
---|---|---|---|
Line 6: | Line 6: | ||
<br/> | <br/> | ||
<b> | <b> | ||
- | Reviewed:</b> 30/04/2021 | + | Reviewed:</b> 04/05/2021 |
<br/> | <br/> | ||
<br/> | <br/> | ||
Line 28: | Line 28: | ||
</ul> | </ul> | ||
- | <font color=red>Important: Only perform the following steps if you have no version 6 AhsayOBM / ACB client connecting to your AhsayCBS server.</font> | + | <font color=red>Important: You can only perform the following steps if you DO NOT have any version 6 AhsayOBM / ACB client connecting to your CBS server.</font> |
</html> | </html> | ||
Line 37: | Line 37: | ||
<br> | <br> | ||
<ul> | <ul> | ||
- | <li><font color=black>To change the HTTPS connection to TLSv1.2 only: | + | <li><font color=black><b>Change the TLS setting</b>: |
<br> | <br> | ||
<br> | <br> | ||
Line 82: | Line 82: | ||
- | <li><font color=black>Edit the line from <font color=red>protocols="TLSv1+TLSv1.1+TLSv1.2"</font> to <font color=red>protocols="TLSv1.2"</font>: | + | <li><font color=black>Edit the line from |
+ | <br><br> | ||
+ | <font color=red>protocols="TLSv1+TLSv1.1+TLSv1.2"</font> | ||
+ | <br><br> | ||
+ | to | ||
+ | <br><br> | ||
+ | <font color=red>protocols="TLSv1.2"</font>: | ||
<br> | <br> | ||
<br> | <br> | ||
Line 112: | Line 118: | ||
</tr> | </tr> | ||
</table> | </table> | ||
+ | </font></li> | ||
+ | </ol> | ||
+ | <br> | ||
+ | |||
+ | |||
+ | <li><font color=black><b>Change the cipher settings</b>: | ||
+ | <br> | ||
+ | <br> | ||
+ | <ol> | ||
+ | <li><font color=black>Browse to the following path on the AhsayCBS server: | ||
+ | <br> | ||
+ | <br> | ||
+ | %CBS_Installation_Home%/conf | ||
+ | </font></li> | ||
+ | <br> | ||
+ | |||
+ | |||
+ | <li><font color=black>Open the server.xml file with a text editor: | ||
+ | <br> | ||
+ | <br> | ||
+ | <table border="0" cellpadding="0" cellspacing="0" width="90%"> | ||
+ | <tr> | ||
+ | <td align="center" style="BORDER-TOP: gray 1pt solid; BORDER-LEFT: gray 1pt solid; BORDER-RIGHT: gray 1pt solid; BORDER-BOTTOM: gray 1pt solid; BACKGROUND-COLOR: #f7931e"> | ||
+ | <font size=1.5>server.xml</font> | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td style="BORDER-LEFT: gray 1pt solid; BORDER-RIGHT: gray 1pt solid; BORDER-BOTTOM: gray 1pt solid; BACKGROUND-COLOR: #FFFFFF"><p style="font-family:courier;"> | ||
+ | <font size=1.5> | ||
+ |     …<br> | ||
+ |     …<br> | ||
+ | |||
+ |     <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800"<br> | ||
+ |     connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.<br> | ||
+ |     maxHttpHeaderSize="8192" redirectPort="443" executor="tomcatThreadPool-https-0.0.0.0-443" disableUploadTimeout="false" coyote.<br> | ||
+ |     http11.Http11NioProtocol" SSLEnabled="true" port="443" socket.rxBufSize="25188" connectionTimeout="10000" maxConnections="500"><br> | ||
+ |      | ||
+ | |||
+ |    <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false"<br> | ||
+ |         honorCipherOrder="false" <font color=red>ciphers="HIGH:!aNULL:!MD5"</font> disableSessionTickets="false" protocols="TLSv1.2"<br> | ||
+ |         certificateVerification="false" certificateVerificationDepth="10"><br> | ||
+ | | ||
+ |         … | ||
+ | </font> | ||
+ | </td> | ||
+ | </tr> | ||
+ | </table> | ||
+ | |||
+ | <ul> | ||
+ | <li><font color=black>Option 1 - For AhsayCBS server with version 7 and 8 backup clients: | ||
+ | <br> | ||
+ | <br> | ||
+ | Edit the line from | ||
+ | <br><br> | ||
+ | <font color=red>ciphers="HIGH:!aNULL:!MD5"</font> | ||
+ | <br><br> | ||
+ | to | ||
+ | <br><br> | ||
+ | <font color=red>ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"</font> | ||
+ | <br> | ||
+ | <br> | ||
+ | |||
+ | <table border="0" cellpadding="0" cellspacing="0" width="95%"> | ||
+ | <tr> | ||
+ | <td align="center" style="BORDER-TOP: gray 1pt solid; BORDER-LEFT: gray 1pt solid; BORDER-RIGHT: gray 1pt solid; BORDER-BOTTOM: gray 1pt solid; BACKGROUND-COLOR: #f7931e"> | ||
+ | <font size=1.5>server.xml</font> | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td style="BORDER-LEFT: gray 1pt solid; BORDER-RIGHT: gray 1pt solid; BORDER-BOTTOM: gray 1pt solid; BACKGROUND-COLOR: #FFFFFF"><p style="font-family:courier;"> | ||
+ | <font size=1.5> | ||
+ |     …<br> | ||
+ |     …<br> | ||
+ | |||
+ |     <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800"<br> | ||
+ |     connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.<br> | ||
+ |     maxHttpHeaderSize="8192" redirectPort="443" executor="tomcatThreadPool-https-0.0.0.0-443" disableUploadTimeout="false" coyote.<br> | ||
+ |     http11.Http11NioProtocol" SSLEnabled="true" port="443" socket.rxBufSize="25188" connectionTimeout="10000" maxConnections="500"><br> | ||
+ |      | ||
+ | |||
+ |    <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false"<br> | ||
+ |         honorCipherOrder="false" <font color=red>ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,<br> | ||
+ |         TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"</font><br> | ||
+ |         disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" certificateVerificationDepth="10"><br> | ||
+ | | ||
+ |         … | ||
+ | </font> | ||
+ | </td> | ||
+ | </tr> | ||
+ | </table> | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | </font></li> | ||
+ | <br> | ||
+ | |||
+ | |||
+ | <li><font color=black>Option 2 - For AhsayCBS server with version 8 backup clients only (DO NOT use this option if there is version 7 AhsayOBM / ACB client connecting to your CBS): | ||
+ | <br> | ||
+ | <br> | ||
+ | Edit the line from | ||
+ | <br><br> | ||
+ | <font color=red>ciphers="HIGH:!aNULL:!MD5"</font> | ||
+ | <br><br> | ||
+ | to | ||
+ | <br><br> | ||
+ | <font color=red>ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"</font> | ||
+ | <br> | ||
+ | <br> | ||
+ | |||
+ | <table border="0" cellpadding="0" cellspacing="0" width="95%"> | ||
+ | <tr> | ||
+ | <td align="center" style="BORDER-TOP: gray 1pt solid; BORDER-LEFT: gray 1pt solid; BORDER-RIGHT: gray 1pt solid; BORDER-BOTTOM: gray 1pt solid; BACKGROUND-COLOR: #f7931e"> | ||
+ | <font size=1.5>server.xml</font> | ||
+ | </td> | ||
+ | </tr> | ||
+ | <tr> | ||
+ | <td style="BORDER-LEFT: gray 1pt solid; BORDER-RIGHT: gray 1pt solid; BORDER-BOTTOM: gray 1pt solid; BACKGROUND-COLOR: #FFFFFF"><p style="font-family:courier;"> | ||
+ | <font size=1.5> | ||
+ |     …<br> | ||
+ |     …<br> | ||
+ | |||
+ |     <Connector maxKeepAliveRequests="9999" keepAliveTimeout="30000" address="0.0.0.0" scheme="https" enableLookups="false" socket.txBufSize="43800"<br> | ||
+ |     connectionUploadTimeout="900000" acceptCount="200" secure="true" URIEncoding="utf-8" sendReasonPhrase="true" protocol="org.apache.<br> | ||
+ |     maxHttpHeaderSize="8192" redirectPort="443" executor="tomcatThreadPool-https-0.0.0.0-443" disableUploadTimeout="false" coyote.<br> | ||
+ |     http11.Http11NioProtocol" SSLEnabled="true" port="443" socket.rxBufSize="25188" connectionTimeout="10000" maxConnections="500"><br> | ||
+ |      | ||
+ | |||
+ |    <SSLHostConfig disableCompression="true" caCertificateFile="${catalina.base}/conf/ca.crt" insecureRenegotiation="false"<br> | ||
+ |         honorCipherOrder="false" <font color=red>ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,<br> | ||
+ |         TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"</font> disableSessionTickets="false" protocols="TLSv1.2" certificateVerification="false" <br> | ||
+ |         certificateVerificationDepth="10"><br> | ||
+ | | ||
+ |         … | ||
+ | </font> | ||
+ | </td> | ||
+ | </tr> | ||
+ | </table></font></li> | ||
+ | </ul> | ||
+ | |||
+ | </font></li> | ||
+ | </ul> | ||
+ | |||
Line 117: | Line 267: | ||
+ | | ||
+ | | ||
+ | | ||
</html> | </html> |