\subsection{Javabased-Applicationservers}
Note that the names of the ciphersuites differ from the syntax You ll use in an Apache webserver. However if You are using an ARP-Connector for Your Tomcat, the ciphersuitenames correspond with the ones You may know from Apache-SSL configuration.
\subsubsection{Tested with Versions}
\begin{itemize*}
\item Tomcat 7.0.57.0, Oracle JRE 1.8.0_60-b27, Ubuntu 14.04.4 LTS
\item Tomcat 8.0.24, Oracle JRE 1.8.0_60-b27, Ubuntu 14.04.4 LTS
\item Tomcat 8.0.33, Oracle JRE 1.8.0_74, Ubuntu 14.04.4 LTS
\item Tomcat 8.0.17, Oracle JRE 1.8.0_72-b15-b27, Ubuntu 14.04.4 LTS
\item JBoss 5.0.1.GA, Oracle JRE 1.8.0_91, Windows Server 2012 R2
\end{itemize*}
\subsubsection{Oracle JAVA prequsites}
Oracle Javaimplementations are still shipped with active exportrestrictions, thus limiting the defaultbehavior of AES ciphers to 128 bits. In order to remove these restrictions you have to apply the "Unlimited Strengh Java(TM) Cryptography Extention Policy File". The policy-files within this package have to be put in $JAVA_HOME/jre/lib/security, and they have to be reapplied everytime a JAVA update is done.
Pleas note also, that DH support with keysizes larger than 1024 are only supported with v 1.8.0_5
\configfile{server.xml}
Independend of the concrete applicationsserver, the main setup is done in a server.xml file (the real location depends on your system implementation).
In this file you have to have the following sections:
First you need a standard connector:
The important part in this connector is the "redirectPort=443"
Second You need a secure connector:
This will Your applicationserver using two ports, one for standard http and one for https, with portnumers grater than 1023, which is good, because on a unix system Your appserver runs only on nonprivileged ports. For windows systems you can use default portnumers like 80 odr 443.
\subsubsection{Additional settings}
To make things more secure without affecting userexperience, You have to make two further modifications.
The fisrt is about the file web.xml, in which you should have the following securityconstrain set:
Entire Application
/*
CONFIDENTIAL
This will force Your appserver to redirect any incomming traffic on the http port to the redirectport, given in the server.xml-file
Finnally you should consider using a port-natting, to make Your services availabla on the standard-ports for http (80) and https (443). This can easily be done using iptables on a linux system. On windowsbases systems you can use default ports in the initialsetup (server.xml), so there is no need for portnatting.
*nat
:PREROUTING ACCEPT [70718:5758048]
:POSTROUTING ACCEPT [4526:273892]
:OUTPUT ACCEPT [4526:273892]
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8090
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
COMMIT
\subsubsection{References}
\begin{itemize*}
\item Unlimited Strengh Java(TM) Cryptography Extention Policy File: \url{http://www.oracle.com/technetwork/java/javase/downloads/index.html}
\item Oracle JAVA DH 1024-bit prime bug: \url{http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6521495}
\end{itemize*}
\subsubsection{How to test}
See appendix \ref{cha:tools}
%%----------------------------------------------------------------------