Configuring Supported Ciphers for Tomcat HTTPS Connections
Due to a security vulnerability, cipher suites that use weak Diffie-Hellman key exchange algorithms are disabled in the Tomcat server.xml file installed with Jamf Pro 9.73 and later. When upgrading from Jamf Pro 9.72 or earlier, the list of ciphers is not automatically modified. This means if you are upgrading from Jamf Pro 9.72 or earlier, you must manually replace the list of ciphers to remediate this known vulnerability.
This article provides step-by-step instructions for replacing the existing ciphers in the server.xml file with a list of recommended ciphers.
Upgrades—The following procedure is required for upgrades from Jamf Pro 9.72 or earlier. Jamf Pro installers do not modify an existing server.xml file in order to preserve any customizations on an upgrade.
New Installations—New installations of Jamf Pro 9.73 or later include the recommended ciphers by default. No further action is required unless you want to customize the list of supported ciphers, in which case, you can use the following procedure to specify a list of ciphers for HTTPS connections.
Jamf Pro 9.72 or earlier
- Upgrade to Jamf Pro 9.73 or later.
- Open the server.xml file in a text editor.
The server.xml file is located in:
- Mac: /Library/JSS/Tomcat/conf/server.xml
- Linux: /usr/local/jss/tomcat/conf/server.xml
- Windows: C:\Program Files\JSS\Tomcat\conf\server.xml
Note: It is recommended that you create a backup of the server.xml file before replacing the existing ciphers.
- Search for the ciphers attribute in the Connector element for port="8443".
- Replace the existing ciphers with the ciphers listed below. If the ciphers attribute is not present, add it to the Connector element.
Note: These recommendations come from The Open Web Application Security Project (OWASP). For additional recommendations on securing Tomcat, see the following documentation from OWASP:
- If you are running Java 1.6 or a JDS instance in your environment, you must also include the following cipher:
For a complete list of Jamf Pro requirements, see the "Requirements" section in the Jamf Pro Administrator's Guide for your version of Jamf Pro.
- Save and close the server.xml file.
- Restart Tomcat.
For instructions, see Starting and Stopping Tomcat.
For more information about Apache Tomcat HTTP Connectors, go to: