40.8 Securing Tomcat

In order to support a wide variety of browsers, Vibe (Tomcat) allows the full range of SSL and TLS key cipher methods. Over time, some of the cipher methods have proven vulnerable to attack. To harden Tomcat and eliminate the server acceptance of vulnerable ciphers, you can specify which ciphers the server should not accept:

NOTE:Because cipher lists are constantly changing, we can’t provide an up-to-date list of vulnerable ciphers. Consult with your risk management department or security manager for your organization’s list.

  1. Change to the following directory:

    Linux:

    /opt/novell/teaming/apache-tomcat/
                               conf

    Windows:

    c:\Program Files\Novell\Teaming\apache-tomcat\
                               conf
  2. Open the server.xml file in a text editor.

  3. Locate the sslProtocol attribute.

  4. Disable the weak ciphers supplied by your risk management department or security manager by adding a list to the server.xml file, after the sslProtocol attribute:

    ciphers="example_cipher_1, example_cipher_2, etc."
  5. Save and close the server.xml file.