| 16 | === Configuring Tomcat connector & security === |
| 17 | Tomcat configuration appears to be very version dependent. That is, the same configuration statements in one version of Tomcat will not work properly in another. So some research and updating is needed for each new version of tomcat. |
| 18 | |
| 19 | The UA IdP as of 2015-01 is using tomcat version 6. For that version, we configured tomcat to respond on secured port 8444 [IdP runs as tomcat so must use high-numbered port] with the following configuration snippet in the tomcat directory (/opt/tomcat/conf/server.xml on the UA IdP servers) as of 2015-01: |
| 20 | {{{ |
| 21 | <Connector port="8444" |
| 22 | protocol="HTTP/1.1" |
| 23 | SSLEnabled="true" |
| 24 | maxThreads="150" |
| 25 | scheme="https" |
| 26 | secure="true" |
| 27 | clientAuth="false" |
| 28 | sslProtocols="TLSv1,TLSv1.1,TLSv1.2" |
| 29 | ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA" |
| 30 | keystoreFile="/opt/shibboleth-idp/credentials/idp.alaska.edu.jks" |
| 31 | keystorePass="••••••••••••" /> |
| 32 | |
| 33 | }}} |
| 34 | This limits ciphers to those supported in the installed JDK version and considered safest by [https://www.ssllabs.com/sslltest/analyze.html| Qualsys SSL Labs]. |
| 35 | This configuration does not support PFS; that will require an update to tomcat and JDK. |