Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Changed some English

...

  1. Stop the ADSS Server Service instance from the Windows Services Panel / UNIX Daemon
  2. Go to the location: [ADSS Server Installation Directory]/service/server/conf/
  3. Open the file server.xml in a text editor
  4. Find the connector <Connector port="8777" and append the parameter maxPostSize = "0" before the closing tag of this connector
    Note:- If the business application is communicating with the ADSS Server over SSL mutual authentication then add this parameter under <Connector port="8779".  Do the same for <Connector port="8778" if server authentication is being used.e.g.

    Code Block
    titleserver.xml
    themeRDark
    languagehtml/xml
    <Connector port="8777"
                           maxHttpHeaderSize="524288"
                           maxThreads="500"
                           minSpareThreads="200"
                           enableLookups="false"
                           redirectPort="8778"
                           acceptCount="200"
                           connectionTimeout="60000"
                           disableUploadTimeout="true" 
                           maxPostSize="0"/> 
  5. Save the changes
  6. Start the ADSS Server Service instance from the Windows Services Panel / UNIX Daemon

...

Changing the ADSS Server Keystore password

...

If it is required you wish to change the ADSS Server Keystore password then follow these instructions:

  1. Go to the location: [ADSS Server Installation Directory]/util/bin
  2. Execute the utility change_keystore_password.bat /sh accordingly(or .sh if using Linux)
    1. Enter the default ADSS Server keystore password against existing password for ADSS Server keystore:  

      Note

      Contact support@ascertia.com for default ADSS Server Keystore password

    2. Enter new password for ADSS Server keystore
    3. Confirm new password for ADSS Server keystore 
    4. The utility will show the encrypted password e.g. Encrypted Password: p/aZouGB6w4vL9lmu7AKsw==
  3. Go to the location [ADSS Server installation directory]/console/server/conf
    1. Edit the server.xml in a text editor
    2. Find the instance of the 8774 connector tag and replace the values of keystorePass and truststorePass attributes with the newly encrypted password

      Code Block
      titleserver.xml
      themeRDark
      languagexml
      <Connector port="8774"
      				   ...
                         ...
                         keystoreFile="../../conf/adss.keystore"
                         keystorePass="8cktUaFLGOP2YVttsBTRKg=="
                         truststoreFile="../../conf/adss.keystore"
                         truststorePass="8cktUaFLGOP2YVttsBTRKg=="
                         URIEncoding="UTF-8" />
    3. Save the changes
  4. Go to the location [ADSS Server installation directory]/service/server/conf
    1. Edit the server.xml in a text editor
    2. Find the instance of the 8778 connector tag and replace the value of keystorePass attribute with the newly encrypted password

      Code Block
      titleserver.xml
      themeRDark
      languagexml
       <Connector port="8778"
      				   ....
      				   ....
                         keystoreFile="../../conf/adss.keystore"
                         keystorePass="8cktUaFLGOP2YVttsBTRKg==" />
    3. Find the instance of the 8779 connector tag and replace the values of keystorePass and truststorePass attributes with the newly encrypted password

      Code Block
      titleserver.xml
      themeRDark
      languagexml
       <Connector port="8779"
      		           ....
                         ....
                         keystoreFile="../../conf/adss.keystore"
                         keystorePass="8cktUaFLGOP2YVttsBTRKg=="
                         truststoreFile="../../conf/adss.keystore"
                         truststorePass="8cktUaFLGOP2YVttsBTRKg==" />
    4. Save the changes

7. Restart the ADSS Server Console and Service instances from Windows NT Services panel or UNIX daemon in order to take the password change into effect

...

Changing the SSL/TLS cipher suites used by the ADSS Server for advanced security

...

  1. Launch the Windows services panel.
  2. Stop the ADSS Server Core, Console and Service instances.
  3. Go to location [ADSS-Server-Installation-Dir] and edit the server.xml file from locations: 
    1. ..\console\server\conf\
      1. Backup the existing server.xml file
      2. Search for the text <Connector port="8774"
      3. Replace the existing ciphers accordingly
    2. ..\service\server\conf\
      1. Backup the existing server.xml file
      2. Search for the text <Connector port="8778" and <Connector port="8779"
      3. Replace the existing ciphers with for each port configurations accordingly
  4. Save the settings and start the ADSS Server Core, Console and Service instances from Windows service panel. 
Code Block
titleList of recommended ciphers to be used for advanced security:
themeRDark
languagexml
 <Connector port="8774"
				   ....
				   ....
                   ciphers="TLS_RSA_WITH_AES_256_GCM_SHA384,
							TLS_RSA_WITH_AES_128_GCM_SHA256,
							TLS_RSA_WITH_AES_256_CBC_SHA256,
							TLS_RSA_WITH_AES_128_CBC_SHA256,
							TLS_RSA_WITH_AES_256_CBC_SHA,
							TLS_RSA_WITH_AES_128_CBC_SHA"
				   ....
				   ....
/>

...

Changing the Tomcat keystore password

...

  1. Stop the ADSS Server Core, Console and Service instances.
  2. Go to location [ADSS-Server-Installation-Dir] and take the backup of following files : 
    1. ..\conf\
      1. Backup the existing adss.keystore
    2. ..\console\server\conf\
      1. Backup the existing server.xml 
    3. ..\service\server\conf\
             i. Backup the existing server.xml
  3. Go to location [ADSS-Server-Installation-Dir\util\bin\] 
      1. Execute the change_database_password.bat, it would require to provide old and new keystore passwords so as to change it accordingly.
      2. It is mandatory to encrypt the new password before using, execute the encrypt_password.bat and provide the new password as given in above to get the encrypted password output.

...

Once done, restart the ADSS NT/Daemon Services.

...

Configuring the ADSS Server

...

Tomcat to secure AJP

...

communications

The Apache Tomcat AJP Connector is vulnerable to a new Ghostcat attack that can allow an attacker to read application configuration files or API tokens. ADSS Server can be configured to secure protect against these vulnerabilities. In order to To secure Apache Tomcat AJP communication, you must be running use ADSS Server 6.6 with patch 6.6.0.2. Customers must upgrade to ADSS Server 6.6 and then apply patch 6.6.0.2 from Ascertia Support. 

...