Configuring Supported Ciphers for Tomcat HTTPS Connections

Due to a security vulnerability, cipher suites that use weak Diffie-Hellman key exchange algorithms are disabled in the Tomcat server.xml file installed with Jamf Pro 9.73 and later. When upgrading from Jamf Pro 9.72 or earlier, the list of ciphers is not automatically modified. This means if you are upgrading from Jamf Pro 9.72 or earlier, you must manually replace the list of ciphers to remediate this known vulnerability.

This article provides step-by-step instructions for replacing the existing ciphers in the server.xml file with a list of recommended ciphers.

  • UpgradesThe following procedure is required for upgrades from Jamf Pro 9.72 or earlier. Jamf Pro installers do not modify an existing server.xml file.
  • New InstallationsNew installations of Jamf Pro 9.73 or later include the recommended ciphers by default. No further action is required unless you want to customize the list of supported ciphers, in which case, you can use the following procedure to specify a list of ciphers for HTTPS connections.
Requirements

Jamf Pro 9.72 or earlier

  1. Upgrade to Jamf Pro 9.73 or later.
  2. Open the server.xml file in a text editor. The server.xml file is in:
    • Mac: /Library/JSS/Tomcat/conf/server.xml

    • Linux: /usr/local/jss/tomcat/conf/server.xml

    • Windows: C:\Program Files\JSS\Tomcat\conf\server.xml

    Note:

    It is recommended that you create a backup of the server.xml file before replacing the existing ciphers.

  3. Search for the ciphers attribute in the Connector element for port="8443".
  4. Replace the existing ciphers with the ciphers listed below. If the ciphers attribute is not present, add it to the Connector element.
    ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" 
    Important:
    If you are running Java 1.6 or a JDS instance in your environment, you must also include the following cipher:
    TLS_RSA_WITH_AES_128_CBC_SHA
    Note:

    These recommendations come from The Open Web Application Security Project (OWASP). For additional recommendations on securing Tomcat, see the following documentation from OWASP: https://www.owasp.org/index.php/Securing_tomcat#Encryption

    For a complete list of Jamf Pro requirements, see the Jamf Pro System Requirements section in the Jamf Pro Administrator's Guide.

  5. Save and close the server.xml file.
  6. Restart Tomcat. For instructions, see the Starting and Stopping Tomcat article.