128-bit encryption enforcement How to Guide

From Swivel Knowledgebase Wiki

Enforce 128-bit Encryption on PINsafe Appliance

By default, a PINsafe appliance supports a number of 40- and 56-bit SSL encryption ciphers, in addition to 128-bit ciphers.

In order to disable the weak encryption algorithms, to ensure that only 128-bit encryption is used, you need to modify the Tomcat configuration to specify which ciphers are permissible.

You can edit the Tomcat configuration using Webmin. Log in as usual, then go to the Servers -> PINsafe page. Click on "Edit Tomcat Config File". Locate the line looking something like the following:

<Connector address="0.0.0.0" port="8080" ...

Find the end of this line, indicated by the character sequence />. Delete these 2 characters, and insert a new line containing the following:

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA" />

Note that this MUST be all on one line.

The entire Connector definition should now look something like the following:

<Connector address="0.0.0.0" port="8080" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/home/swivel/.keystore" keystorePass="lockbox" 
	ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA" />

You also need to make the same changes to the Connector with port="8443" (but not the one with port="8181").

Finally, Save the changes and restart Tomcat to apply them.

128-bit encryption enforcement How to Guide

From Swivel Knowledgebase Wiki

Enforce 128-bit Encryption on PINsafe Appliance

Views

Personal tools

Navigation

Search

Toolbox