Submit a ticketCall us

Have You Auto Renewed? If not, you're missing out.
The SolarWinds Renewal Program comes with a host of benefits including the most recent product updates, 24/7 technical support, virtual instructor-led training and more. Experience all of this with the convenience of Auto Renewal, and never worry about missing any of these great benefits. Learn More.

Home > Success Center > Database Performance Analyzer (DPA) > Disable TLS 1.0 for the default HTTPS connector in DPA

Disable TLS 1.0 for the default HTTPS connector in DPA

Updated March 13, 2017

Overview

This article provides a workaround for issues with SSL not being PCI compliant in DPA. You can disable TLS 1.0 for the default HTTPS connector, and create a second connector for the Orion integration with TLS 1.0 enabled.

Environment

  • DPA Integration Module 10.2 and earlier
  • DPA Integration Module 11.0 and later

Resolution

For DPAIM 10.2 and earlier

First, configure Tomcat to use two separate HTTPS connectors.

  1. Open the DPA_INSTALL_DIR/iwc/tomcat/conf/server.xml file in a text editor.
  2. Locate the HTTPS connector section.
  3. If there are not entries for two connectors, copy the first connector entry and paste it underneath to create a second entry.
  4. Make sure the Connector port value is unique for each entry.
  5. For the external connector (public and accessible from the Internet):
    1. Disable TLS 1.0 by adding the following line:

      sslEnabledProtocols="TLSv1.2,TLSv.1.1"

    2. Add !3DES: to the ciphers property.
  6. For the internal connector (that connects to the DPA Intergration Module), enable TLS 1.0.
  7. Restart DPA.

Second, adjust your firewall settings to disable the external connection to the internal connector.

Here is an example of the HTTPS connector section in the server.xml file:

<!-- Secure public HTTPS/SSL connector -->
<Connector port="8124" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  sslEnabledProtocols="TLSv1.2,TLSv1.1"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:!3DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>

<!-- Insecure local HTTPS/SSL connector for Orion Integration -->
<Connector port="8125" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>

For DPAIM 11.0 and later

Configure Tomcat to use one secure HTTPS connector.

  1. Open the DPA_INSTALL_DIR/iwc/tomcat/conf/server.xml file in a text editor.
  2. Locate the HTTPS connector section.
  3. Disable TLS 1.0 by adding the following line:

    sslEnabledProtocols="TLSv1.2,TLSv.1.1"

  4. Add !3DES: to the ciphers property.
  5. Restart DPA.

Here is an example of the HTTPS connector section in the server.xml file:

<!-- Secure public HTTPS/SSL connector -->
<Connector port="8124" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  sslEnabledProtocols="TLSv1.2,TLSv1.1"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:!3DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>
Last modified

Tags

Classifications

Public