Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Configuring Supported Ciphers for Tomcat HTTPS Connections

Overview

Due to a security vulnerability, cipher suites that use weak Diffie-Hellman key exchange algorithms are disabled in the Tomcat server.xml file installed with Jamf Pro 9.73 and later. When upgrading from Jamf Pro 9.72 or earlier, the list of ciphers is not automatically modified. This means if you are upgrading from Jamf Pro 9.72 or earlier, you must manually replace the list of ciphers to remediate this known vulnerability.

This article provides step-by-step instructions for replacing the existing ciphers in the server.xml file with a list of recommended ciphers.

Upgrades—The following procedure is required for upgrades from Jamf Pro 9.72 or earlier. Jamf Pro installers do not modify an existing server.xml file in order to preserve any customizations on an upgrade.
New Installations—New installations of Jamf Pro 9.73 or later include the recommended ciphers by default. No further action is required unless you want to customize the list of supported ciphers, in which case, you can use the following procedure to specify a list of ciphers for HTTPS connections.

Products Affected

Jamf Pro 9.72 or earlier

Procedure

  1. Upgrade to Jamf Pro 9.73 or later.
  2. Open the server.xml file in a text editor. The server.xml file is located in:
    • Mac: /Library/JSS/Tomcat/conf/server.xml
    • Linux: /usr/local/jss/tomcat/conf/server.xml
    • Windows: C:\Program Files\JSS\Tomcat\conf\server.xml Note: It is recommended that you create a backup of the server.xml file before replacing the existing ciphers.
  3. Search for the ciphers attribute in the Connector element for port="8443".
  4. Replace the existing ciphers with the ciphers listed below. If the ciphers attribute is not present, add it to the Connector element. ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" Note: These recommendations come from The Open Web Application Security Project (OWASP). For additional recommendations on securing Tomcat, see the following documentation from OWASP: https://www.owasp.org/index.php/Securing_tomcat#Encryption
  5. If you are running Java 1.6 or a JDS instance in your environment, you must also include the following cipher: TLS_RSA_WITH_AES_128_CBC_SHA For a complete list of Jamf Pro requirements, see the "Requirements" section in the Jamf Pro Administrator's Guide for your version of Jamf Pro.
  6. Save and close the server.xml file.
  7. Restart Tomcat. For instructions, see Starting and Stopping Tomcat.

Additional Information

For more information about Apache Tomcat HTTP Connectors, go to:

Like Comment
Order by:
SOLVED Posted: by cmarker

Can you provide a source for strong ciphers, or maybe just the ones that get specified when doing a fresh install of Casper?

Like
SOLVED Posted: by jkb
The server.xml file is located in: - Mac: /Library/JSS/Tomcat/conf/server.xml - Linux: C:\Program Files\JSS\Tomcat\conf\server.xml - Windows: /usr/local/jss/tomcat/conf/server.xml

n.b. The Windows and Linux file paths are mixed up.

jkb

Like
SOLVED Posted: by kristen.bates

Thank you. The file paths should be correct now.

Like
SOLVED Posted: by ekkehard

If you don't like to do this manually vote here:
Update port 8443 ciphers during upgrades

Like
SOLVED Posted: by higginsta

So I ran into this error this morning on Firefox 39 and Chrome 45 (beta). I updated the ciphers to the recommended list and upon restart I could not connect with any browser due to the following error:

Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

Tomcat restarted cleanly and I double checked the syntax. Is there an updated KB that deals with this issue?

Thanks,

Todd

Like
SOLVED Posted: by jhalvorson

After making the change to the cipher attribute on a test JSS, devices with 10.5 were no longer able to securely connect to the JSS and I could not use any of the functions in Casper Remote to a client with 10.5.

Have others seen this issue? Is it to be expected due to the age and limitations of 10.5 and older?

Like
SOLVED Posted: by cvgs

After trying to enroll a 9.73 JDS running un Ubuntu 14.04 LTS into a 9.73 JSS running Java 8 on Windows, i have found that i had to add TLS_RSA_WITH_AES_128_CBC_SHA to the cipher list (which as stated above should only be needed when Java 1.6 would be used anywhere).

Otherwise you get the error message

error: (35) - gnutls_handshake() failed: A TLS fatal alert has been received.

and the jamf.log shows:

 ERROR (35, 'gnutls_handshake() failed: A TLS fatal alert has been received.')
Traceback (most recent call last):
  File "/root/bamboo-agent-home/xml-data/build-dir/REL-ACS-RELCASJDSUBUNTU/build/pyi.linux2/jamfds/out00-PYZ.pyz/jss_comm", line 84, in _perform
error: (35, 'gnutls_handshake() failed: A TLS fatal alert has been received.')

YMMV...

Like
SOLVED Posted: by kevindw

I'll second that I needed to add "TLS_RSA_WITH_AES_128_CBC_SHA" to the cipher list to get things rocking again.

Chrome error was SSL version or cipher mismatch

Running RHEL 6.6, JSS 9.73, Java 1.7.0_79.

Cheers!

Like
SOLVED Posted: by msd_netadmin

Add me to the list that needed the "TLS_RSA_WITH_AES_128_CBC_SHA" included. We have Java 1.8 although 1.6 is still on the server.

Dan

Like
SOLVED Posted: by kwsenger

Our environment runs JDS' as well. I missed adding this line as well {"TLS_RSA_WITH_AES_128_CBC_SHA"}. We are on Java 1.7 but DO have JDS'.

We were able to use Chrome 45 for accessing the JSS Web App but when we tried to update our main JDS with JDS Installer 9.8 we would get this error. {Could not retrieve certificate from "https://jss.mycompany.com:8443/". Check that the JSS URL is correct}. We also could not upload packages correctly to Capser Admin.

Adding "TLS_RSA_WITH_AES_128_CBC_SHA" to the cipher list and bouncing Tomcat fixed everything.
Karl.

Like
SOLVED Posted: by RobertHammen

@Kristen I have had numerous clients read this article to try to fix the issue of not being able to connect to their JSS via latest versions of Firefox, Chrome, and, in OS X El Capitan, Safari.

Unfortunately, they ALL have glossed over the requirement that they MUST be running 9.73 or later of the Casper Suite before adding these ciphers.

Can you please have this revised, at your earliest convenience, to highlight the fact that clients must FIRST upgrade to 9.73 (to get a new version of Tomcat that supports the ciphers), THEN edit the server.xml file? And if that they don't perform the upgrade first, they will break their JSS?

I literally have had close to 10 clients try to edit this without being on 9.73 and do exactly that and I've had to walk them through removing the ciphers they added, in order to get them back up-and-running.

Like
SOLVED Posted: by Josh.Smith
to highlight the fact that clients must FIRST upgrade to 9.73 (to get a new version of Tomcat that supports the ciphers), THEN edit the server.xml file? And if that they don't perform the upgrade first, they will break their JSS?

Important safety tip, thanks Egon.

Like
SOLVED Posted: by dickie

Had been working in Google Chrome now I get "Server has a weak ephemeral Diffie-Hellman public key". I did the procedure above including adding the extra key. Still same. I can use the JSS in Safari, but still can't use chrome.

Like
SOLVED Posted: by wallstrum

came across this post while looking for something else, but i figured i'd post because i fixed this about a month or so ago. here is what my "connector" section looks like in my server.xml file:

<Connector URIEncoding="UTF-8" clientAuth="false" sslProtocol="TLS" ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA" executor="tomcatThreadPool" port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" maxPostSize="8388608" keystoreFile="/Library/JSS/Tomcat/certs/keystore.pkcs12" keystorePass="XXXXXXXXXX" keystoreType="PKCS12" />

i pasted the whole thing here for context, but the part to pay attention to is the "ciphers" section. i did a bunch of research on securing tomcat, and basically this list is ordered by most secure --> least secure (it's' called perfect forward secrecy), so that browsers will connect in the most secure method they can. the website i used for reference is: https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat/.

hope it helps!

wally

Like
SOLVED Posted: by donmontalvo

@wallstrum we went with JAMF's published string, and added Java 6 string, since we have it in our environment, and so far so good. Curious whether it matters that your string is missing stuff JAMF published in theirs? Theirs is on the left, yours is on the right:

Like
SOLVED Posted: by Olivier

May I suggest to Jamf to also upgrade SelfService app to support TLS1.2...to support GCM-based suites, that are recommended in this article?

There is no security impact, as communication is later passed to "jamf" local binary that seems to use TLS1.2 when an item is downloaded/installed, but it is just for "harmonizing stuff" :-))).

Like
SOLVED Posted: by chris.miller

I've been having some ugly issues with Self Service not connecting. This seemed to fix it.

Like
SOLVED Posted: by bentoms

Please update this article advising that the cipher TLS_RSA_WITH_AES_128_CBC_SHA is needed for 10.8 clients, as per this.

Like
SOLVED Posted: by andykang

On RHEL7.1 with OpenJDK 1.8.0 and JSS v9.96. I had to add "TLS_RSA_WITH_AES_128_CBC_SHA" to get Tomcat working as well. iOS Self Service is not working however...I'm thinking it has to do with OpenJDK only working with the "TLS_RSA_WITH_AES_128_CBC_SHA" cipher.

Like
SOLVED Posted: by martin

Please update ciphers, article was last modified in 2015.

Like
SOLVED Posted: by MrP

Great article. Wish our rep had advised we do this when it released...

Like