How to enhance SSL security level on AhsayCBS

June 4, 2025

Product Version

AhsayCBS: 7.3 - 7.17.x

Operating System

All Platforms

Description

This article provides instructions on how to provide a higher level of SSL security for AhsayCBS.

We strongly recommend upgrading to the latest AhsayCBS and AhsayOBM release (v9.15.0.0, as of 2025/May/15) for improved performance, compatibility, and security.

Contact us to confirm your license is valid to upgrade.

Solution

To disable all weak cipher suite on AhsayCBS:

  1. Edit the server.xml file found under ${Install-Home}\conf

    • Open 'server.xml' with a text editor:

      server.xml
      ...
       <Service name="Catalina">
                  <Connector port="80" protocol="HTTP/1.1" maxKeepAliveRequests="1000" disableUploadTimeout="true" ...
                      redirectPort="443" minSpareThreads="50" maxThreads="2000" acceptCount="200" ...
                      connectionTimeout="120000" address="0.0.0.0" socketBuffer="16384" />
                  <Connector port="443" SSLCipherSuite="HIGH:!aNULL:!MD5" protocol="HTTP/1.1" ...
      ...
      ...

    • Update the SSLCipherSuite parameter with:

      SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:EDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
      server.xml
      ...
       <Service name="Catalina">
              <Connector port="80" protocol="HTTP/1.1" maxKeepAliveRequests="1000" disableUploadTimeout="true" ...
                  redirectPort="443" minSpareThreads="50" maxThreads="2000" acceptCount="200" ...
                  connectionTimeout="120000" address="0.0.0.0" socketBuffer="16384" />
              <Connector port="443" 
      SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
      ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
      DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:EDH+AESGCM:
      ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
      ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
      ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:
      DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
      DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK" protocol="HTTP/1.1" ...
      ...
      ...
    • Save and exit from the text editor.
  2. Restart the AhsayCBS service.
How-To