Solutions

How to configure the Cipher Strength of the Tomcat engine used by the Serena VM Web Application Server and Serena Common Tomcat?



ID:    S139650
Published:    27 March 2013
Updated:    28 June 2018

Operating System(s)

  • All Unix
  • All Windows

Product(s)

  • Deployment Automation
  • Dimensions CM
  • PVCS Version Manager
 

Description

The Tomcat application engine used by the Serena VM Web Application Server and Serena Common Tomcat can be used with HTTPS. By default, Tomcat allows the use of weak SSL ciphers on these connectors.
 
To prohibit the use of weak ciphers, it is necessary to manually modify the Tomcat SSL connector definitions and assign them an explicit list of acceptable ciphers. This will also solve the Firefox error:
 
Secure Connection Failed

An error occurred during a connection to ServerName:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

 
  • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  • Please contact the website owners to inform them of this problem.

It additionally solves the following Internet Explorer error users get after Microsoft Windows patch KB3172605 is installed on their PCs:
 
This page can’t be displayed
 
  • Make sure the web address https://ServerName:8443 is correct.
  • Look for the page with your search engine.
  • Refresh the page in a few minutes.

Lastly it solves the error:
 
Error communicating with file server "https://ServerName:8443/serenafs/FileServer;": An SSL error occured. SOAP FAULT: SOAP-ENV:Client "SSL_ERROR_SSL
error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small" Detail: SSL connect failed in tcp_connect().

thrown by File Server clients running VM 8.6 or newer when communicating via HTTPS with a pre-VM 8.6 File Server.

Resolution

Version Manager:
 
To assign a list of acceptable ciphers, do the following: 
 
  1. Open the file VM_Installation_Directory/vm/common/tomcat/conf/server.xml in a text editor.
     
  2. Locate the sections <Connector port=...  /> that have the parameter SSLEnabled="true".

    As of VM 8.4.0, there will be two: one using port 8443 and one using port 8444.
     
  3. In each qualifying connector section, insert the parameter ciphers="CommaSeparatedListOfCipherNames" with a list of all the strong ciphers Tomcat should limit itself to.
     
  4. Restart the Serena VM Web Application Server.
 
An example of how to change the server.xml file using a list of ciphers known to be strong at the time this article was written:

 

Before:

    <Connector port="8443" minSpareThreads="5" maxSpareThreads="75"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100"  maxThreads="200"
               scheme="https" secure="true" SSLEnabled="true"
               keystoreFile="$/conf/serena.keystore"
               keystorePass="serena" truststoreFile="$/conf/serena.keystore"              
               truststorePass="serena"
               clientAuth="false" sslProtocol="TLS"/>
              
    <Connector port="8444" minSpareThreads="5" maxSpareThreads="75"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100"  maxThreads="200"
               scheme="https" secure="true" SSLEnabled="true"
               keystoreFile="$/conf/serena.keystore" keystorePass="serena"
               truststoreFile="$/conf/serena.keystore" truststorePass="serena"
               truststoreAlgorithm="AnyCert"
               clientAuth="true" sslProtocol="TLS"/>
 
After:
 
    <Connector port="8443" minSpareThreads="5"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100"  maxThreads="200"
               scheme="https" secure="true" SSLEnabled="true"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256"
               keystoreFile="$/conf/serena.keystore"
               keystorePass="serena" truststoreFile="$/conf/serena.keystore"              
               truststorePass="serena"
               clientAuth="false" sslProtocol="TLS"/>
              
    <Connector port="8444" minSpareThreads="5"
               enableLookups="true" disableUploadTimeout="true"
               acceptCount="100"  maxThreads="200"
               scheme="https" secure="true" SSLEnabled="true"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256"
               keystoreFile="$/conf/serena.keystore" keystorePass="serena"
               truststoreFile="$/conf/serena.keystore" truststorePass="serena"
               truststoreAlgorithm="AnyCert"
               clientAuth="true" sslProtocol="TLS"/>

 

Notes:
  • For VM 8.6.0 and newer only you can also include the Diffie-Helman ciphers if you like. The corresponding ciphers line is:
     
                   ciphers="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256"
     
  • Earlier versions of this document used the following ciphers value:
     
                   ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA"
     
    The cipher SSL_RSA_WITH_3DES_EDE_CBC_SHA has since been removed because it was identified as being vulnerable to the Sweet32: Birthday attack (CVE-2016-2183).
     
  • Prior to that, ciphers used to be:

     

                   ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
     
    The Diffie-Hellman cipher suites (with _DHE_ in their names) were initially removed due to a bug in the JRE that is used by Version Manager 8.5.0 (see KB doc S140646 for details), but were since found to be vulnerable to the Jogjam attack as well.

     
Serena Common Tomcat ( Including other Serena products like Dimensions, SDA etc ) :
 
To assign a list of acceptable ciphers, do the following: 
 
  1. Open the file Installation_Directory/Common/tomcat/6.0/conf/server.xml in a text editor.
     
  2. Locate the sections <Connector port=...  /> that have the parameter SSLEnabled="true".
     
  3. In each qualifying connector section, insert the parameter ciphers="CommaSeparatedListOfCipherNames" with a list of all the strong ciphers Tomcat should limit itself to.
     
  4. Restart Serena Common Tomcat.
 
An example of how to change the server.xml file using a list of ciphers known to be strong at the time this article was written:

 

Before:

    <Connector port="8443" SSLEnabled="true"
               scheme="https" secure="true" sslProtocol="TLS"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" strategy="ms"
               keystoreFile="conf/sample-ssl.jks" keystorePass="serena" keyAlias="tomcat"
               truststoreFile="conf/sample-ssl.jks" truststorePass="serena"
               clientAuth="false" />

    <Connector port="8543" SSLEnabled="true"
               scheme="https" secure="true" sslProtocol="TLS"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" strategy="ms"
               keystoreFile="conf/sample-ssl.jks" keystorePass="serena" keyAlias="tomcat"
               truststoreFile="conf/sample-ssl.jks" truststorePass="serena"
               clientAuth="true" truststoreAlgorithm="AnyCert" />
 
After:

    <Connector port="8443" SSLEnabled="true"
               scheme="https" secure="true" sslProtocol="TLS"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" strategy="ms"
               keystoreFile="conf/sample-ssl.jks" keystorePass="serena" keyAlias="tomcat"
               truststoreFile="conf/sample-ssl.jks" truststorePass="serena"
               clientAuth="false" />

    <Connector port="8543" SSLEnabled="true"
               scheme="https" secure="true" sslProtocol="TLS"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" strategy="ms"
               keystoreFile="conf/sample-ssl.jks" keystorePass="serena" keyAlias="tomcat"
               truststoreFile="conf/sample-ssl.jks" truststorePass="serena"
 

 


Rate this Solution

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs