Submit a ticketCall us

WebinarUpcoming Webinar: Know What’s Changed – with NEW Server Configuration Monitor

Change management in IT is critical. But, even with a good change management process, changes are too often not correctly tracked, if at all. The configuration of your servers and applications is a key factor in their performance, availability, and security. Many incidents can be tracked back to an authorized (and sometimes unauthorized) configuration change, whether to a system file, configuration file, or Windows® Registry entry. Join SolarWinds VP of product management Brandon Shopp to discover how the new SolarWinds® Server Configuration Monitor is designed to help you.

Register now.

Home > Success Center > Database Performance Analyzer (DPA) > DPA - Knowledgebase Articles > Disable TLS 1.0 for the default HTTPS connector in DPA

Disable TLS 1.0 for the default HTTPS connector in DPA

Updated March 13, 2017

Overview

This article provides a workaround for issues with SSL not being PCI compliant in DPA. You can disable TLS 1.0 for the default HTTPS connector, and create a second connector for the Orion integration with TLS 1.0 enabled.

Environment

  • DPA Integration Module 10.2 and earlier
  • DPA Integration Module 11.0 and later

Resolution

For DPAIM 10.2 and earlier

First, configure Tomcat to use two separate HTTPS connectors.

  1. Open the DPA_INSTALL_DIR/iwc/tomcat/conf/server.xml file in a text editor.
  2. Locate the HTTPS connector section.
  3. If there are not entries for two connectors, copy the first connector entry and paste it underneath to create a second entry.
  4. Make sure the Connector port value is unique for each entry.
  5. For the external connector (public and accessible from the Internet):
    1. Disable TLS 1.0 by adding the following line:

      sslEnabledProtocols="TLSv1.2,TLSv.1.1"

    2. Add !3DES: to the ciphers property.
  6. For the internal connector (that connects to the DPA Intergration Module), enable TLS 1.0.
  7. Restart DPA.

Second, adjust your firewall settings to disable the external connection to the internal connector.

Here is an example of the HTTPS connector section in the server.xml file:

<!-- Secure public HTTPS/SSL connector -->
<Connector port="8124" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  sslEnabledProtocols="TLSv1.2,TLSv1.1"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:!3DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>

<!-- Insecure local HTTPS/SSL connector for Orion Integration -->
<Connector port="8125" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>

For DPAIM 11.0 and later

Configure Tomcat to use one secure HTTPS connector.

  1. Open the DPA_INSTALL_DIR/iwc/tomcat/conf/server.xml file in a text editor.
  2. Locate the HTTPS connector section.
  3. Disable TLS 1.0 by adding the following line:

    sslEnabledProtocols="TLSv1.2,TLSv.1.1"

  4. Add !3DES: to the ciphers property.
  5. Restart DPA.

Here is an example of the HTTPS connector section in the server.xml file:

<!-- Secure public HTTPS/SSL connector -->
<Connector port="8124" maxHttpHeaderSize="20480" URIEncoding="UTF-8" scheme="https" secure="true" SSLEnabled="true"
  clientAuth="false" useServerCipherSuitesOrder="true" compression="on"
  compressionMinSize="2048" compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
  keystoreFile="conf/.keystore"
  sslEnabledProtocols="TLSv1.2,TLSv1.1"
  ciphers="ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!DES:!3DES:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
    !TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
    !TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
    !TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
    RC4+RSA:+HIGH:+MEDIUM"
/>
Last modified

Tags

Classifications

Public