3.11 Default Security Settings in Configuration Files

3.11.1 server.xml

Linux: /opt/novell/nam/idp/conf

Windows Server 2012: \Program Files (x86)\Novell\Tomcat\conf

These settings are configured in NIDP_Name="devman" and NIDP_Name="connector" attributes inside the Connector element.

<Connector NIDP_Name="connector" SSLEnabled="true" URIEncoding="utf-8"
acceptCount="100" address="10.0.0.0"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" keystoreFile="/opt/novell/
devman/jcc/certs/idp/connector.keystore" keystorePass="xxxxxxxxxxxxxxx"
maxThreads="600" minSpareThreads="5" port="8443" scheme="https" secure="true"
sslImplementationName="com.example.nidp.common.util.net.server.NIDPSSLImplementati
on" useServerCipherSuitesOrder="true" sslProtocol="TLSv1.2" sslEnabledProtocols="SSLv2Hello,TLSv1.1,TLSv1.2" />

For information about connector attributes, see Apache Tomcat Configuration Reference.

3.11.2 web.xml

Linux: /opt/novell/nam/idp/webapps/nidp/WEB-INF/

Windows Server 2012: \Program Files (x86)\Novell\Tomcat\conf 

<filter>
	   <filter-name>
      httpHeaderSecurity
	   </filter-name>
   <filter-class>
			      org.apache.catalina.filters.HttpHeaderSecurityFilter
   </filter-class>
	   <async-supported>
      true
	   </async-supported>
   <init-param>
			      <param-name>hstsMaxAgeSeconds</param-name>
      <param-value>31536000</param-value>
	   </init-param>
   <init-param>
	      <param-name>antiClickJackingOption</param-name>
      <param-value>SAMEORIGIN</param-value>
	   </init-param>

</filter>
<filter-mapping>
   <filter-name>httpHeaderSecurity</filter-name>
	   <url-pattern>/*</url-pattern>
   <dispatcher>REQUEST</dispatcher>
</filter-mapping>

NOTE:You can add these filters at any location in the web.xml as long as it is not within any existing tag.

3.11.3 tomcat.conf

Linux:

/opt/novell/nam/idp/conf/tomcat.conf 

JAVA_OPTS="${JAVA_OPTS} -Dsun.security.ssl.allowUnsafeRenegotiation=false"
JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.rejectClientInitiatedRenegotiation=true"
JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.ephemeralDHKeySize=2048"

Windows:

Navigate to C:\Program Files (x86)\Novell\Tomcat\bin and then double-click tomcat7w.

-Dsun.security.ssl.allowUnsafeRenegotiation=false"
-Djdk.tls.rejectClientInitiatedRenegotiation=true"
-Djdk.tls.ephemeralDHKeySize=2048"