Configuring Supported Ciphers for Tomcat HTTPS Connections

Updated: 29 October 2021

Product: Jamf Pro

Due to a security vulnerability, cipher suites that use weak Diffie-Hellman key exchange algorithms are disabled in the Tomcat server.xml file installed with Jamf Pro 9.73 and later. When upgrading from Jamf Pro 9.72 or earlier, the list of ciphers is not automatically modified. This means if you are upgrading from Jamf Pro 9.72 or earlier, you must manually replace the list of ciphers to remediate this known vulnerability.

This article provides step-by-step instructions for replacing the existing ciphers in the server.xml file with a list of recommended ciphers.

Upgrades—The following procedure is required for upgrades from Jamf Pro 9.72 or earlier. Jamf Pro installers do not modify an existing server.xml file.
New Installations—New installations of Jamf Pro 9.73 or later include the recommended ciphers by default. No further action is required unless you want to customize the list of supported ciphers, in which case, you can use the following procedure to specify a list of ciphers for HTTPS connections.

Requirements

Jamf Pro 9.72 or earlier

Upgrade to Jamf Pro 9.73 or later.
Open the server.xml file in a text editor. The server.xml file is in:
- Mac: /Library/JSS/Tomcat/conf/server.xml
- Linux: /usr/local/jss/tomcat/conf/server.xml
- Windows: C:\Program Files\JSS\Tomcat\conf\server.xml
Note:
It is recommended that you create a backup of the server.xml file before replacing the existing ciphers.
Search for the ciphers attribute in the Connector element for port="8443".

Replace the existing ciphers with the ciphers listed below. If the ciphers attribute is not present, add it to the Connector element.

ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"

Important:

If you are running Java 1.6 or a JDS instance in your environment, you must also include the following cipher:

TLS_RSA_WITH_AES_128_CBC_SHA

Note:

These recommendations come from The Open Web Application Security Project (OWASP). For additional recommendations on securing Tomcat, see the following documentation from OWASP: https://www.owasp.org/index.php/Securing_tomcat#Encryption

For a complete list of Jamf Pro requirements, see the Jamf Pro System Requirements section in the Jamf Pro Administrator's Guide.

Save and close the server.xml file.
Restart Tomcat. For instructions, see the Starting and Stopping Tomcat article.

Additional Information

For more information about Apache Tomcat HTTP Connectors, go to:

Tomcat 8.5: http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support
Tomcat 8.0: http://tomcat.apache.org/tomcat-8.0-doc/config/http.html#SSL_Support
Tomcat 7.0 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support