Securing Tomcat server

You must ensure the operational security of the application server that runs Application Security. At a minimum, configure Apache Tomcat server to use HTTPS in conjunction with an SSL certificate issued by a trusted certificate authority. Also, take any additional steps necessary to secure Tomcat server in your operating environment.

Using secure cipher suites

OpenText recommends that you use secure SSL/TLS cipher suites in Tomcat.

• APR-based SSL connections

  Use the SSLCipherSuite directive. For detailed information, see the SSL CipherSuite Directive and Cipher Suites and Enforcing Strong Security.

• JSSE-based SSL connections

  Use the ciphers and the honorCipherOrder attributes. For details, go to the Apache Tomcat 10 Configuration Reference - The HTTP Connector.

Because of trade-offs between improved security and improved interoperability, better performance, and so on, there is no correct cipher suite choice. However, Apache provides information that can help you make your choice in the Apache Tomcat Ciphers documentation.