Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Database Performance Analyzer (DPA) > Disable TLS 1.0 for the default HTTPS connector in DPA

Disable TLS 1.0 for the default HTTPS connector in DPA

Updated March 13, 2017

Overview

This article provides a workaround for issues with SSL not being PCI compliant in DPA. You can disable TLS 1.0 for the default HTTPS connector, and create a second connector for the Orion integration with TLS 1.0 enabled.

Environment

  • DPA Integration Module 10.2 and earlier
  • DPA Integration Module 11.0 and later

Resolution

For DPAIM 10.2 and earlier

First, configure Tomcat to use two separate HTTPS connectors.

  1. Open the DPA_INSTALL_DIR/iwc/tomcat/conf/server.xml file in a text editor.
  2. Locate the HTTPS connector section.
  3. If there are not entries for two connectors, copy the first connector entry and paste it underneath to create a second entry.
  4. Make sure the Connector port value is unique for each entry.
  5. For the external connector (public and accessible from the Internet):
    1. Disable TLS 1.0 by adding the following line:

      sslEnabledProtocols="TLSv1.2,TLSv.1.1"

    2. Add !3DES: to the ciphers property.
  6. For the internal connector (that connects to the DPA Intergration Module), enable TLS 1.0.
  7. Restart DPA.

Second, adjust your firewall settings to disable the external connection to the internal connector.

Here is an example of the HTTPS connector section in the server.xml file:

<!-- Secure public HTTPS/SSL connector -->
<Connector port="8124" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  sslEnabledProtocols="TLSv1.2,TLSv1.1"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:!3DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>

<!-- Insecure local HTTPS/SSL connector for Orion Integration -->
<Connector port="8125" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>

For DPAIM 11.0 and later

Configure Tomcat to use one secure HTTPS connector.

  1. Open the DPA_INSTALL_DIR/iwc/tomcat/conf/server.xml file in a text editor.
  2. Locate the HTTPS connector section.
  3. Disable TLS 1.0 by adding the following line:

    sslEnabledProtocols="TLSv1.2,TLSv.1.1"

  4. Add !3DES: to the ciphers property.
  5. Restart DPA.

Here is an example of the HTTPS connector section in the server.xml file:

<!-- Secure public HTTPS/SSL connector -->
<Connector port="8124" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  sslEnabledProtocols="TLSv1.2,TLSv1.1"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:!3DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>
Last modified
08:19, 13 Mar 2017

Tags

Classifications

Public