A.5 Tomcat Settings

Because iManager makes use of Tomcat Servlet Container, iManager administrators should be aware of the encryption-related configuration options of those resources as part of their overall security strategy. Of particular interest are cipher suites and trusted certificates, which directly impact the quality of your wire-level encryption. Consider the following rules when configuring your Tomcat environment:

  • Do not use SSL 2.0 cipher suites, which are outdated and not guaranteed to be secure.

  • Do not use the NULL cipher suite in a production environment.

  • Do not use any cipher suite classified as LOW or EXPORT quality, because these are less secure.

  • Regularly review the list of trusted certificates, and limit the list of accepted Certificate Authorities to only those you are actually using

More information for Tomcat is available at the Apache Tomcat Documentation Web site.

NOTE:Because of the way that iManager interprets and uses data, there are no known risks of HTML-based attacks such as cross-site scripting.