ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Disable TLS 1.1 for tomcat

book

Article ID: 226912

calendar_today

Updated On:

Products

iDash Workload Automation for CA 7 iDash Workload Automation

Issue/Introduction

Need to change the TLS version from 1.1 to 1.2 for Tomcat. Do not currently have SSL enabled. Is this as simple as updating the server.xml file in the tomcat8/conf directory? Or are the other considerations? Looking to implement SSL next year but need this fixed before that will occur per our vulnerabilities team. 

Environment

Release : 12.1

Component : CA WORKLOAD AUTOMATION iDASH FOR CA 7

Resolution

Once HTTPS is configured you would need to remove TLSv1.1 from the sslEnabledProtocols entry in the HTTPS connector statement.

Connector
compressableMimeType="text/html,text/xml,text/plain,text/css,application/javascript,application/json"
  compression="on"
  connectionTimeout="130000"
  keepAliveTimeout="130000" 
  asyncTimeout="130000"
  maxExtensionSize="-1"
  socket.rxBufSize="131070"
  socket.performanceConnectionTime="1"
  socket.performanceLatency="2"
  socket.performanceBandwidth="3"
  socket.appReadBufSize="131070"
  port="8443"
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  maxThreads="150"
  SSLEnabled="true"
  sslProtocol="TLS"
  sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello"
  scheme="https"
  secure="true"
  clientAuth="false"
  keystoreFile="full\path\to\IDASH_HOME\contrib\<idash_hostname.domain.com>.kdb"
  keyAlias="<idash_hostname.domain.com>"
  keystorePass="<password>" />
 
https://techdocs.broadcom.com/us/en/ca-mainframe-software/automation/ca-workload-automation-idash/12-1/installing/post-installation/enable-https.html