Existing partner, login to
Partner Portal

Discussion Forum

FAQ: How to setup strong SSL security on AhsayOBS (3214)

FAQ: How to setup strong SSL security on AhsayOBS (3214)

Postby admin » Thu May 21, 2015 2:49 pm

Article ID: 3214
Reviewed: 03/06/2015

Product Version:
AhsayOBS: Pre-7.3.2.0
OS: All platforms

Description:
This article provides instruction on how to setup strong SSL security on AhsayOBS.

This includes disabling of SSLv3 because of vulnerabilities in the protocol (e.g. susceptible to security vulnerabilities such as POODLE (Padding Oracle On Downgraded Legacy Encryption) and FREAK (Factoring RSA Export Keys)), as well as setup of a strong cipher suite (e.g. disabling the DHE_EXPORT cipher (Diffie-Hellman key exchange) susceptible to Logjam vulnerability).

Steps:
To disable SSLv3, first ensure that your AhsayOBS server is patched to version 6.21.2.0 or above (disabling of SSLv3 is only supported since version 6.21.2.0):


Next, to disable all weak cipher suite on AhsayOBS (including the DHE_EXPORT ciphers):

  1. Edit the server.xml file found under ${Install-Home}\conf

    • Open 'server.xml' with a text editor:

      server.xml
      ...
       - <Service name="Tomcat-Standalone">
            <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              ...
            <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" URIEncoding="utf-8" ...
              ...
              sslProtocol="TLS" />
       ...

    • Update the HTTPS connector, by adding the cipher parameter and values:

      ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
      TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"

      server.xml (Updated)
      ...
       - <Service name="Tomcat-Standalone">
            <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              ...
            <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" URIEncoding="utf-8" ...
              ...
              sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,
              TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
              SSL_RSA_WITH_3DES_EDE_CBC_SHA"
      />
       ...

    • Save and exit from the text editor.

  2. Restart the AhsayOBS, AhsayRDR or AhsayRPS service by:

    • (Windows) [ Control Panel ] > [ Administrative Tools ] > [ Services ] > [ Ahsay Offsite Backup Server ]

    • (Linux) Run [ ${Install-Home} / bin / startup.sh ]


Keywords:
sslv3, SSL, https, http, v3, POODLE, poodle, freak, weak, cipher, ciphersuite, suite, key
admin
Site Admin
 
Posts: 959
Joined: Mon Jul 10, 2006 3:19 pm

Return to SSL / Security

Who is online

Users browsing this forum: No registered users and 1 guest

Looking for Rbackup Alternative | Vembu Alternative | Novastor Alternative | Asigra Alternative | BackupAgent Alternative? Try our product.


A wholly owned subsidiary of Ahsay Backup Software Development Company Limited  [HKEx Stock Code: 8290]