Qualys vulnerability scans report that the Autosys Web Server or WebUI (WCC) server on port 9443/8443 allow weak SSL/TLS Key Exchanges

Workload Automation AE (AutoSys)

Verify the ciphers to be used are listed as Secure/Recommended via the CipherSuites knowledge base. Either GnuTLS Name or OpenSSL Name can be used as the value for the ciphers in the steps below. 

NOTE: It is acceptable to add a different cipher to the list of ciphers indicated in the configuration files below, or remove one from the same list.  Work with your company security analyst on what should be removed and remove it.  It is perfectly fine from AutoSys standpoint as long as it is acceptable appropriately by your security analysts.

1. Ensure the keystore was generated with a keysize of 2048bits first (when the keytool command is used to create the private key, use the flag:   -keysize 2048   ( Change the Web Server SSL Protocol to TLSv1.2   and Generate a Private Key and Self-Signed Certificate )
   
   
2. For Autosys Web Server, disable TLS v1.1 and 1.0, by updating the HTTPS connector in the file $AUTOUSER/webserver/conf/server.xml.  Remove the TLS 1.1/1.0 and enforce TLS 1.2 only.  Remove references to any RSA 1024 bit ciphers too.  Resulting connector entry should look like:  
   

   <Connector SSLEnabled="true" acceptCount="100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" clientAuth="false" keystoreFile="/opt/CA/WorkloadAutomationAE/autouser.ACE/webserver/conf/.keystore" keystorePass="changeit" keystoreType="BCFKS" maxThreads="400" port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" relaxedQueryChars="|&lt;&gt;" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>

   Note: the above whole content is in just one line

3. For WebUI / WCC, the above change goes to $CA_WCC_INSTALL_LOCATION/tomcat/conf/server.xml 
   
   <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" clientAuth="false" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript,application/json" compression="on" disableUploadTimeout="true" enableLook
ups="false" keyAlias="tomcat" keystoreFile="/opt/CA/WorkloadAutomationAE/wcc/data/config/.keystore" keystorePass="changeit" maxThreads="150" minSpareThreads="25" port="8443" protocol="HTTP/1.1" scheme="https" secure="
true" server="WCC" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" useSendfile="false"/>
   
   
4. Restart Autosys Web Server / WCC services for the change to be effective.