Scribd
Upload
185 views2 pages

Tomcat Server Hardening Guide

1. Upgrade the Tomcat server to the latest version, implement HTTPS redirection from HTTP, and configure the server to use stronger 2048-bit DH parameters for encryption. 2. To redirect HTTPS requests to the default application (DIS), modify the server.xml file to enable HTTPS and specify the certificate, un-comment security constraints in web.xml, and replace the ROOT folder's index.jsp with one that redirects to the application. 3. Alternatively, the index.jsp can be configured to redirect to any other application by specifying its context path, to set a different default application for the Tomcat server.

Uploaded by

Sha Shaik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
185 views2 pages

Tomcat Server Hardening Guide

1. Upgrade the Tomcat server to the latest version, implement HTTPS redirection from HTTP, and configure the server to use stronger 2048-bit DH parameters for encryption. 2. To redirect HTTPS requests to the default application (DIS), modify the server.xml file to enable HTTPS and specify the certificate, un-comment security constraints in web.xml, and replace the ROOT folder's index.jsp with one that redirects to the application. 3. Alternatively, the index.jsp can be configured to redirect to any other application by specifying its context path, to set a different default application for the Tomcat server.

Uploaded by

Sha Shaik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Tomcat Server Hardening for DIS (in accordance with Cigniti Security Scan suggestions)

1. Upgrade to latest version on Tomcat Server:


Download the latest version of tomcat (8.5.49) and replace the existing Tomcat with this
new version.
2. Configuration to redirect to HTTPS, when the application is accessed in HTTP:
i. Open tomcat server.xml (path: <Tomcat-Folder>/conf/server.xml)
ii. Add a new <Connector> tag (2nd tag as in below example)
iii. Ensure the authentication certificate (keystore file) and its password is mentioned in the
new <Connector> tag.
iv. Ensure that redirectPort in 1st <Connector> tag is same as “port” in the 2 nd <Connector>
tag.
iv. Ensure the authentication certificate (keystore file) and its password are mentioned in the
new <Connector> tag.
v. Un-comment the lines with “<security-constraint>” tag in web.xml file found in path:
<Tomcat-folder>/webapps/<application-folder>/WEB-INF/web.xml

Example of config. In server.xml:

<Connector URIEncoding="utf-8" connectionTimeout="20000" port="8085"


protocol="HTTP/1.1" redirectPort="8443"/>

<Connector SSLEnabled="true" clientAuth="false" connectionTimeout="-1"


maxHttpHeaderSize="8192" disableUploadTimeout="true" acceptCount="100"
keystoreFile="C:\HttpsCertificate\Certificate\erwinDGkeystore.jks"
keystorePass="goerwin@1" maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol" scheme="https"
secure="true" sslEnabledProtocols="TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_
128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_W
ITH_AES_256_GCM_SHA384"/>

3. Reconfigure the service to use 2048-bit DH parameters:


i. Go to JAVA home folder.
ii. Navigate to the file from Java home folder: <java-home>/lib/security/java.security
iii. Open “java.security” file and add the following to the file:
jdk.tls.ephemeralDHKeySize=2048

4. Configure Tomcat Server to redirect to a default application instead of the Tomcat-


welcome page:

i. Redirect to DIS application by default (‘https://<domain>/’) do the below configuration:

Replace the existing index.jsp in path (<Tomcat-Folder>\webapps\ROOT) with the


below attached file. This would redirect the tomcat to /MappingManger by default.
Note: If you are using a different context path (https://<domain>/path), i.e.
something other than “/MappingManager”, please update the below file with your
path.

index.jsp

(Right click on the above file and click “copy” and paste it in the desired location on
the disk)

ii. To configure some other application to be set as default, update the index.jsp with the
corresponding application’s context path.

You might also like