Crypto-agility configuration for Tomcat is described below.

  • Location of the file for setting ciphers for Tomcat:
    /usr/local/tomcat/conf/server.xml -> 
    /usr/local/desktone/release/active/conf/server.xml
  • Tomcat in appliances has three Connectors.
    Note: All appliances do not have the same connectors.

    The first connector listens on port 443. This listens to traffic from outside. The configuration of ciphers for this component can be found at these lines in the above-mentioned file. This port is configured for Service Provider and Resource Manager appliances.

Configuration in Service Provider

<Connector
    protocol="HTTP/1.1"
    allowTrace="false"
    SSLEnabled="true"
    port="443"
    maxThreads="500"
    maxHttpHeaderSize="32768"
    scheme="https"
    secure="true"
    clientAuth="false"
    enableLookups="false"
    SSLEngine="on"
    SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
    SSLCertificateFile="/usr/local/desktone/cert/ssl_cert_file"
    SSLCertificateKeyFile="/usr/local/desktone/cert/ssl_cert_key_file"
    SSLCACertificateFile="/usr/local/desktone/cert/ssl_ca_cert_file"
    SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-
SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK"URIEncoding="UTF-8" 
server="VMware Horizon DaaS" />
  • Configuration in Resource Manager

     <Connector SSLCACertificateFile="/usr/local/desktone/cert/ssl_ca_cert_file" SSLCertificateFile="/usr/local/desktone/cert/ssl_cert_file" 
    SSLCertificateKeyFile="/usr/local/desktone/cert/ssl_cert_key_file" SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
    ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-
    SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-
    SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK" SSLEnabled="true" SSLEngine="on" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" URIEncoding="UTF-8" allowTrace="false" 
    clientAuth="false" enableLookups="false" maxHttpHeaderSize="32768" maxThreads="500" port="443" protocol="HTTP/1.1" scheme="https" secure="true" server="VMware Horizon DaaS"/>
    
    Note: The second connector listens on port 4443. This port is configured only on Tenant and Desktop Manager appliances.

Configuration in Tenant

<Connector SSLCACertificateFile="/usr/local/desktone/cert/ssl_ca_cert_file" SSLCertificateFile="/usr/local/desktone/cert/ssl_cert_file" SSLCertificateKeyFile="/usr/local/desktone/cert/ssl_cert_key_file" SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK" SSLEnabled="true" SSLEngine="on" SSLProtocol="TLSv1.1+TLSv1.2" URIEncoding="UTF-8" allowTrace="false" clientAuth="false" enableLookups="false" maxHttpHeaderSize="32768" maxThreads="500" port="4443" protocol="HTTP/1.1" scheme="https" secure="true" server="VMware Horizon DaaS"/>
Note: The third connector listens on port 8443. This port is used for inter-appliance communications. The configuration of ciphers for this component can be found at these lines in the above-mentioned file. This port is configured for all the appliances (Service Provider, Resource Manager, Tenants, and Desktop Managers).
  • Configuration in Service Provider
    <Connector
        protocol="HTTP/1.1"
        allowTrace="false"
        SSLEnabled="true"
        port="8443"
        maxThreads="500"
        maxHttpHeaderSize="32768"
        scheme="https"
        secure="true"
        clientAuth="false"
        enableLookups="false"
        SSLEngine="on"
        SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
        SSLCertificateFile="/usr/local/desktone/cert/appliance_cert_file"
        SSLCertificateKeyFile="/usr/local/desktone/cert/appliance_key_file"
        SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-
    SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
    AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK" server="VMware Horizon DaaS" />
    
  • Configuration in Resource Manager
     <Connector SSLCertificateFile="/usr/local/desktone/cert/appliance_cert_file" SSLCertificateKeyFile="/usr/local/desktone/cert/appliance_key_file" SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK" SSLEnabled="true" SSLEngine="on" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" allowTrace="false" clientAuth="false" enableLookups="false" maxHttpHeaderSize="32768" maxThreads="500" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" server="VMware Horizon DaaS"/>
  • Configuration in Tenant
            <Connector SSLCertificateFile="/usr/local/desktone/cert/appliance_cert_file" SSLCertificateKeyFile="/usr/local/desktone/cert/appliance_key_file" SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK" SSLEnabled="true" SSLEngine="on" SSLProtocol="TLSv1.1+TLSv1.2" allowTrace="false" clientAuth="false" enableLookups="false" maxHttpHeaderSize="32768" maxThreads="500" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" server="VMware Horizon DaaS"/>
    Note: Post modification, restart tomcat service in the appliance by using the command:
    sudo service dtService restart