Product: TIBCO Spotfire®
How to disable weak cipher suites which are used to encrypt the traffic between the Web player client and the Spotfire server.
This article describes how to disable weak cipher suites e.g. DES based cipher suites which are used to encrypt the traffic between the Web player client and the Spotfire server.
You can remove the ciphers in the ciphers list which you do not wish to use.
In Spotfire server installation directory, go to path \\spotfire_server_install_dir\tss\X.X\tomcat\conf. Here server.xml defines any https connector used by the Spotfire server.
If you want to disable weak cipher suites e.g. DES based cipher suites, you can remove DES based ciphers in server.xml file from ciphers section in htpps connector section mention below:
-----------------------------------------------
<Connector port="443"
maxHttpHeaderSize="16384"
connectionTimeout="30000"
enableLookups="false"
URIEncoding="UTF-8"
disableUploadTimeout="true"
server="TIBCO Spotfire Server"
compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml,application/octet-stream"
acceptorThreadCount="2"
keepAliveTimeout="30000"
maxKeepAliveRequests="-1"
maxThreads="2000"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="./certs/najimtss01.jks"
keystorePass="changeit"
keystoreType="jks"
keyAlias="najimtss01"
truststoreFile="./certs/najimtss01.jks"
truststorePass="changeit"
truststoreType="jks"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
useServerCipherSuitesOrder="true"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA" />
-----------------------------------------------
From above ciphers section, you can remove below DES based ciphers to disable weak ciphers suites:
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
https://docs.tibco.com/pub/spotfire_server/7.10.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-58E436B3-A057-431C-B65C-92FCE34AB224.html
Comments
0 comments
Article is closed for comments.