Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Database Performance Analyzer (DPA) > Disable TLS 1.0 for the default HTTPS connector in DPA

Disable TLS 1.0 for the default HTTPS connector in DPA

Updated March 13, 2017

Overview

This article provides a workaround for issues with SSL not being PCI compliant in DPA. You can disable TLS 1.0 for the default HTTPS connector, and create a second connector for the Orion integration with TLS 1.0 enabled.

Environment

  • DPA Integration Module 10.2 and earlier
  • DPA Integration Module 11.0 and later

Resolution

For DPAIM 10.2 and earlier

First, configure Tomcat to use two separate HTTPS connectors.

  1. Open the DPA_INSTALL_DIR/iwc/tomcat/conf/server.xml file in a text editor.
  2. Locate the HTTPS connector section.
  3. If there are not entries for two connectors, copy the first connector entry and paste it underneath to create a second entry.
  4. Make sure the Connector port value is unique for each entry.
  5. For the external connector (public and accessible from the Internet):
    1. Disable TLS 1.0 by adding the following line:

      sslEnabledProtocols="TLSv1.2,TLSv.1.1"

    2. Add !3DES: to the ciphers property.
  6. For the internal connector (that connects to the DPA Intergration Module), enable TLS 1.0.
  7. Restart DPA.

Second, adjust your firewall settings to disable the external connection to the internal connector.

Here is an example of the HTTPS connector section in the server.xml file:

<!-- Secure public HTTPS/SSL connector -->
<Connector port="8124" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  sslEnabledProtocols="TLSv1.2,TLSv1.1"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:!3DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>

<!-- Insecure local HTTPS/SSL connector for Orion Integration -->
<Connector port="8125" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>

For DPAIM 11.0 and later

Configure Tomcat to use one secure HTTPS connector.

  1. Open the DPA_INSTALL_DIR/iwc/tomcat/conf/server.xml file in a text editor.
  2. Locate the HTTPS connector section.
  3. Disable TLS 1.0 by adding the following line:

    sslEnabledProtocols="TLSv1.2,TLSv.1.1"

  4. Add !3DES: to the ciphers property.
  5. Restart DPA.

Here is an example of the HTTPS connector section in the server.xml file:

<!-- Secure public HTTPS/SSL connector -->
<Connector port="8124" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  sslEnabledProtocols="TLSv1.2,TLSv1.1"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:!3DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>
Last modified
08:19, 13 Mar 2017

Tags

Classifications

Public