Skip to end of metadata
Go to start of metadata

Changing the default ports for ADSS Server services

If you wish to change the default ADSS Server service ports then follow these steps:

Service Instance
  1. Open the [ADSS-Server-Installation-Dir]/service/server/conf/server.xml file
  2. Locate the following connector:

    server.xml
  3. Define a new connector by copying the above element and comment the exiting one.
  4. Replace the port 8777 with your desired one.
  5. Launch the ADSS Server console: 
    1. Go to location: Global Settings > Advanced Settings

    2. Locate for property: SERVICE_MANAGER_PORT having value 8777, change the value of this property to the port number that you defined in server.xml file in step 4.
    3. Save all changes.
  6. Similarly, if you wish to change the ADSS Server Service instance SSL ports, locate for connector with port 8778 or 8779 and change these ports with the desired ones.
  7. Restart the ADSS Service Core, ADSS Server Console and ADSS Server Service instances from Windows Services Panel / UNIX daemon for the changes to take into effect.
Console Instance
  1. Open the [ADSS-Server-Installation-Dir]/console/server/conf/server.xml file
  2. Locate the following connector:

    server.xml
  3. Define a new connector by copying the above element and comment the exiting one.
  4. Replace the port 8774 with your desired one.
  5. Save all changes.
  6. Restart the ADSS Service Core, ADSS Server Console and ADSS Server Service instances from Windows Services Panel / UNIX daemon for the changes to take into effect.
Core Instance
  1. Open the [ADSS-Server-Installation-Dir]/core/server/conf/server.xml file
  2. Locate the following connector:

    server.xml
  3. Define a new connector by copying the above element and comment the exiting one.
  4. Replace the port 8770 with your desired one.
  5. Launch the ADSS Server console: 

    1. Go to location: Global Settings > Advanced Settings

    2. Locate for property: CORE_MANAGER_PORT having value 8770, change the value of this property to the port number that you defined in server.xml file in step 4.
    3. Save all changes.
  6. Restart the ADSS Service Core, ADSS Server Console and ADSS Server Service instances from Windows Services Panel / UNIX daemon for the changes to take into effect.

Protecting ADSS Server from the SSL/TLS POODLE vulnerability

If you are using ADSS Server version v4.8.1 or prior then follow these instructions to disable the SSL v3.0 protocol to avoid an attack based on the POODLE vulnerability: 

Icon

This vulnerability has been addressed in ADSS Server v4.8.2

  1. Edit the file [ADSS-Server-Installation-Dir]/service/server/conf/server.xml
  2. Locate the connector with port="8778" and change the sslProtocol value to TLSv1 and you must also set the list of allowed SSL protocols by introducing the property named "sslEnabledProtocols="TLSv1.1,TLSv1.2" as shown below:

    server.xml
  3. Locate the connecter Port="8779" and repeat the instructions provided in the step 2.
  4. Edit the file [ADSS-Server-Installation-Dir]/console/server/conf/server.xml
  5. Locate the connecter Port="8774" and repeat the instructions provided in the step 2 to secure the console.
  6. Restart the ADSS Server from Windows Services Panel / UNIX daemons for the changes to take effect.

To confirm that SSL v3.0 is disabled you can use OpenSSL 1.0.1g and execute following command. Replace the Machane-IP/Name and Port accordingly  

We recommend that TLSv1 and TLS1.2 are removed and that only TLSv1.2 is used

openssl

If openssl fails to connect then this means SSL v3.0 has been successfully disabled on ADSS Server. 

Improving the SSL security ranking for ADSS Server

Follow these instructions to enhance the Tomcat configurations in ADSS Server v4.8.4 and later to achieve a better SSL ranking when using analysis tools such as ssllabs.com:

  1. Edit the file [ADSS-Server-Installation-Dir]/service/server/conf/server.xml
  2. Locate connector with port="8778" and add TLSv1.2 in the sslEnabledProtocols attribute (e.g. sslEnabledProtocols="TLSv1.1,TLSv1.2")
  3. In the same connector, remove the TLS_RSA_WITH_AES_256_CBC_SHA cipher from ciphers list
  4. Locate connector Port="8779" in the same file and repeat the instructions provided in step 2 and 3
  5. Edit the file [ADSS-Server-Installation-Dir]/console/server/conf/server.xml
  6. Locate connector Port="8774" and repeat the instructions provided in the step 2 and 3
  7. Restart ADSS Server from Windows Services Panel / UNIX daemons for the changes to take effect
Icon

When Microsoft Azure Key Vault is configured as Crypto Source in ADSS Server then it will stop working.

Enabling SSL Debugging for Tomcat

When trying to analyse why an SSL connection is not working it can be useful to turn on SSL debugging.    Follow these instructions to enable the SSL Debugging for Tomcat within ADSS Server:

  1. Go to location: [ADSS Server Installation Directory]\tomcat\bin\
  2. Edit the catalina.bat/catalina.sh file in a text editor
  3. ADD the parameter -Djavax.net.debug=ssl as shown in the following snippet:

    catalina.sh
  4. Save the changes

  5. If you are using Windows then uninstall the Core, Console, Service instances, re-install and start the services for the changes to take into effect. On UNIX you just need to restart the tomcatd-ADSS-core, tomcatd-ADSS-console, tomcatd-ADSS-service instances respectively.

Configuring new ADSS Server Service Ports

If you wish to configure the new ADSS Server service ports then follow these steps: 

Core Instance 
  1. Open the [ADSS-Server-Installation-Dir]/core/server/conf/server.xml file
  2. Locate the following connector:

    server.xml
  3. Define a new connector by copying the above element and replace the port 8770 with your desired one.
  4. Restart the ADSS Service Core, ADSS Server Console and ADSS Server Service instances from Windows Services Panel / UNIX daemon for the changes to take into effect. 

Service Instance 
  1. Open the [ADSS-Server-Installation-Dir]/service/server/conf/server.xml file
  2. Locate the following connector:

    server.xml
  3. Define a new connector by copying the above element and replace the port 8777 with your desired one.
  4. Restart the ADSS Service Core, ADSS Server Console and ADSS Server Service instances from Windows Services Panel / UNIX daemon for the changes to take into effect. 
Console Instance 
  1. Open the [ADSS-Server-Installation-Dir]/console/server/conf/server.xml file
  2. Locate the following connector:

    server.xml
  3. Define a new connector by copying the above element and replace the port 8774 with your desired one.
  4. Save all changes.
  5. Restart the ADSS Service Core, ADSS Server Console and ADSS Server Service instances from Windows Services Panel / UNIX daemon for the changes to take into effect.

Configuring ADSS Server to not use a persistent HTTP/S connection

A significant difference between HTTP/1.1 and HTTP/1.0 is that persistent connections are now the default behavior of an HTTP connection. So unless otherwise indicated the client SHOULD assume that the server will maintain a persistent connection, even after error responses from the server. In the latest HTTP/1.1 RFC-2616 it is recommended to use persistent connection for HTTP communication because this approach:  

  • Reduces overheads on the server and improves CPU time
  • Reduces network congestion
  • Reduces network latency on subsequent requests

For more details on RFC 2616 follow this link: https://www.ietf.org/rfc/rfc2616.txt

ADSS Server has implemented HTTP/1.1 persistent connections to improve the performance of ADSS Server.  ADSS Server does not send parameter "Connection: Close" in its HTTP response headers.   To change this and avoid persistent connections then follow these instructions:

  1. Stop the ADSS Server Service instances from the Windows NT Services Panel / UNIX Daemon.
  2. Go to Location: [ADSS Server Installation Directory]/service/server/conf/
  3. Edit the file server.xml in a text editor
  4. Find the Service connector port and add this parameter maxKeepAliveRequests="1" e.g.

    server.xml
  5. Save the changes
  6. Start the ADSS Server Service instances from the Windows NT Services Panel / UNIX Daemon.

Note:- Remember that this may impact on the ADSS Server performance during heavy load time.

Configuring ADSS Server to be able to sign very large documents (100MB+)

When a business applications needs to send documents larger than 100 MB to the ADSS Server signing service then thew following need to be done:

1) Set the ADSS Server Tomcat server parameter maxPostSize = "0" inside the server.xml this changes the limit from the default size of 100MB to unlimited.

2) Ensure ADSS Server has enough RAM to process the document. Allow a factor of 25x the size of the largest document to ensure that the PDF can be read, handled in memory, hashed, and the signed hash embedded in a signed copy of the PDF.
    For instance for a 700MB document 16GB RAM is required. Only run such tasks in parallel if you have additional RAM available for this. Click here for more details.

For point (1) follow these instructions:

  1. Stop the ADSS Server Service instance from the Windows Services Panel / UNIX Daemon
  2. Go to the location: [ADSS Server Installation Directory]/service/server/conf/
  3. Open the file server.xml in a text editor
  4. Find the connector <Connector port="8777" and append the parameter maxPostSize = "0" before the closing tag of this connector
    Note:- If the business application is communicating with the ADSS Server over SSL mutual authentication then add this parameter under <Connector port="8779".  Do the same for <Connector port="8778" if server authentication is being used.e.g.

    server.xml
  5. Save the changes
  6. Start the ADSS Server Service instance from the Windows Services Panel / UNIX Daemon

How to change the ADSS Server Keystore password?

If it is required to change the ADSS Server Keystore password then follow these instructions:

  1. Go to the location: [ADSS Server Installation Directory]/util/bin
  2. Execute the utility change_keystore_password.bat/sh accordingly
    1. Enter the default ADSS Server keystore password against existing password for ADSS Server keystore:  

      Icon

      Contact support@ascertia.com for default ADSS Server Keystore password

    2. Enter new password for ADSS Server keystore
    3. Confirm new password for ADSS Server keystore 
    4. The utility will show the encrypted password e.g. Encrypted Password: p/aZouGB6w4vL9lmu7AKsw==
  3. Go to the location [ADSS Server installation directory]/console/server/conf
    1. Edit the server.xml in a text editor
    2. Find the instance of the 8774 connector tag and replace the values of keystorePass and truststorePass attributes with the newly encrypted password

      server.xml
    3. Save the changes
  4. Go to the location [ADSS Server installation directory]/service/server/conf
    1. Edit the server.xml in a text editor
    2. Find the instance of the 8778 connector tag and replace the value of keystorePass attribute with the newly encrypted password

      server.xml
    3. Find the instance of the 8779 connector tag and replace the values of keystorePass and truststorePass attributes with the newly encrypted password

      server.xml
    4. Save the changes

7. Restart the ADSS Server Console and Service instances from Windows NT Services panel or UNIX daemon in order to take the password change into effect

How can I change the cipher suits used by the ADSS Server for advanced security?

  1. Launch the Windows services panel.
  2. Stop the ADSS Server Core, Console and Service instances.
  3. Go to location [ADSS-Server-Installation-Dir] and edit the server.xml file from locations: 
    1. ..\console\server\conf\
      1. Backup the existing server.xml file
      2. Search for the text <Connector port="8774"
      3. Replace the existing ciphers accordingly
    2. ..\service\server\conf\
      1. Backup the existing server.xml file
      2. Search for the text <Connector port="8778" and <Connector port="8779"
      3. Replace the existing ciphers with for each port configurations accordingly
  4. Save the settings and start the ADSS Server Core, Console and Service instances from Windows service panel. 
List of recommended ciphers to be used for advanced security:

How to change the Tomcat keystore password?

  1. Stop the ADSS Server Core, Console and Service instances.
  2. Go to location [ADSS-Server-Installation-Dir] and take the backup of following files : 
    1. ..\conf\
      1. Backup the existing adss.keystore
    2. ..\console\server\conf\
      1. Backup the existing server.xml 
    3. ..\service\server\conf\
             i. Backup the existing server.xml
  3. Go to location [ADSS-Server-Installation-Dir\util\bin\] 
      1. Execute the change_database_password.bat, it would require to provide old and new keystore passwords so as to change it accordingly.
      2. It is mandatory to encrypt the new password before using, execute the encrypt_password.bat and provide the new password as given in above to get the encrypted password output.

      4. Go to location [ADSS-Server-Installation-Dir]
                  a.  ..\console\server\conf\
                            i. Edit the server. xml file and replace the values in all occurrences of keystorePass, truststorePass with new encrypted password as generated in step above.
                  b. ..\service\server\conf\
                            i. Edit the server. xml file and replace the values in all occurrences of keystorePass, truststorePass with new encrypted password.

      5. Start the ADSS Server Core, Console and Service instances.

 

  • No labels