39.5 Securing Tomcat

In order to support a wide variety of browsers, Vibe (Tomcat) allows the full range of SSL and TLS key cipher methods. Over time, some of the cipher methods have proven vulnerable to attack. To harden Tomcat and eliminate the server acceptance of vulnerable ciphers, specify which ciphers the server should accept:

NOTE:The list provided here is a time-sensitive example of a changing environment. Consult with your risk management department or security manager for the up-to-date and approved list of ciphers.

  1. Change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               conf
    

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               conf
    
  2. Open the server.xml file in a text editor.

  3. Locate the sslProtocol attribute.

  4. Disable the weak ciphers by adding the following text after the to the server.xml file, after the sslProtocol attribute:

    ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
    
  5. Save and close the server.xml file.