Appendix D. Setting HTTP SSL Ciphers
For an increased level of HTTP SSL security in TIBCO MFT Command Center, it is good practice to run the server in FIPS mode. If you do not run your TIBCO MFT Command Center in FIPS mode, you have to set higher HTTP SSL cipher strength for client connections.
By default, ciphers are set to the TLS protocol using 128 bit encryption or higher. You can edit the server.xml file which is located in the MFTCC_Install\server\conf directory to set certain SSL ciphers.
A default HTTP connector is defined in this file, as shown in the following example:
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="128" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" clientAuth="false" compression="off" connectionLinger="-1" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="true" keystoreFile="C:\MFTIS\keystore\keystore.jks" keystorePass="changeit" keystoreType="JKS" maxKeepAliveRequests="100" maxThreads="150" port="443" protocol="org.apache.coyote.http11.Http11Protocol" proxyPort="0" redirectPort="-1" scheme="https" secure="true" server="MFTServer" socket.txBufSize="131072" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS" tcpNoDelay="true" trustManagerClassName="com.proginet.sift.tomcat.ssldap.TrustAllMgr"/>
The following example forces client connections to maintain cipher strengths of 128 bit or higher. The ciphers in this example are from Oracle Java 8 update 40.
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"
The following example will force client connections to maintain cipher strengths of 256 bit or higher. The ciphers in this example are from Oracle Java 8 update 40.
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256"
In these examples, the ciphers are limited in default connector to show how to change the ciphers. Limiting the cipher to one is not realistic, this is only for demonstration purposes:
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="128" ciphers=" TLS_RSA_WITH_AES_256_CBC_SHA256" clientAuth="false" compression="off" connectionLinger="-1" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="true" keystoreFile="C:\MFTIS\keystore\keystore.jks" keystorePass="changeit" keystoreType="JKS" maxKeepAliveRequests="100" maxThreads="150" port="443" protocol="org.apache.coyote.http11.Http11Protocol" proxyPort="0" redirectPort="-1" scheme="https" secure="true" server="MFTServer" socket.txBufSize="131072" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS" tcpNoDelay="true" trustManagerClassName="com.proginet.sift.tomcat.ssldap.TrustAllMgr"/>
After you have saved your changes, you must restart the application server.