4.5 Example: Modifying server.xml to Configure the Encryption Level

128-bit encryption is used in all client communications with Identity Server. If the browser is unable to support 128-bit encryption, users are not able to authenticate.

This example illustrates the following topics:

  • How to modify the supported encryption level by adding or removing the ciphers listed in the server.xml file

  • How the keystore certificate and server addresses are retained in other devices’ server.xml after the change is sent from a server.xml file to all devices

Perform the following steps to configure the encryption level:

  1. In Administration Console Dashboard, click Advanced File Configurator.

  2. Select Identity Server.

  3. Expand the cluster for which you want to modify the configuration.

    If server.xml is not available here, add it first. For information about how to add a file, see Section 4.2.1, Adding Configurations to a Cluster.

  4. Click server.xml.

  5. Turn on File > File Editor.

  6. Search for the cipher attribute in the <Connector> element and then modify the list of ciphers based on your needs. The following is an example configuration to enable 128-bit encryption:

    ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA"

    This is a comma-separated list of the JSSE names for the TLS cipher suites.

    IMPORTANT:If you enter a cipher name incorrectly, Tomcat reverts to the default values, which allow the weak ciphers to be used.

    If you want to allow the SSL cipher suites, add the following JSSE names to the list:

    SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA

  7. The server.xml file contains keystore passwords and IP addresses specific to each server. The changes from server.xml are distinctively sent to each server. While applying changes from this file, IP addresses and keystore passwords available in the server.xml connectors for that device are retained.

  8. Click Save.

  9. Specify the following details:

    Field

    Description

    Restart Identity Server

    By default, this option is turned on for server.xml. Keep it turned on.

    After sending configurations to devices, you are required to restart services by clicking Update All on the Identity Servers page.

    Temporary Modification

    Turn on the toggle if you do not want to retain this configuration change in the next Access Manager upgrade.

    Modification Type

    Select the type of modification from the list. You can specify the type manually if the list does not contain the required type.

    You can later use this information to search for files that are updated for a specific type. For example, you can search for all files for which Modification Type is Security Setting.

    Description

    Specify the details of the changes you have made in the file. As you might require to update the configurations many times over the period, you can use these details to track when and what changes were done in the file. You can also use this information as criteria to search for specific files.

  10. Click OK.

  11. Select server.xml that you have modified.

  12. Click the Send Configurations to Servers icon ().

  13. Click OK.

    A message is displayed indicating Update All has been enabled for restarting the services.

  14. Go to Devices > Identity Servers, and click Update All.

    By default, Custom Files Configuration is selected. This action restarts the Identity Server service automatically.