Tomcat 的加密彈性組態如下所述。
- Tomcat 密碼設定檔案的位置:
/usr/local/tomcat/conf/server.xml -> /usr/local/desktone/release/active/conf/server.xml
- 應用裝置中的 Tomcat 有三個連接器。
備註: 所有應用裝置都沒有相同的連接器。
第一個連接器接聽連接埠 443。這會接聽來自外部的流量。在上述檔案中,可在這幾行找到此元件的密碼組態。此連接埠會針對服務提供者和資源管理員應用裝置進行設定。
服務提供者中的組態
<Connector
protocol="HTTP/1.1"
allowTrace="false"
SSLEnabled="true"
port="443"
maxThreads="500"
maxHttpHeaderSize="32768"
scheme="https"
secure="true"
clientAuth="false"
enableLookups="false"
SSLEngine="on"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
SSLCertificateFile="/usr/local/desktone/cert/ssl_cert_file"
SSLCertificateKeyFile="/usr/local/desktone/cert/ssl_cert_key_file"
SSLCACertificateFile="/usr/local/desktone/cert/ssl_ca_cert_file"
SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-
SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK"URIEncoding="UTF-8"
server="VMware Horizon DaaS" />
-
資源管理員中的組態
<Connector SSLCACertificateFile="/usr/local/desktone/cert/ssl_ca_cert_file" SSLCertificateFile="/usr/local/desktone/cert/ssl_cert_file" SSLCertificateKeyFile="/usr/local/desktone/cert/ssl_cert_key_file" SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE- ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256- SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3- SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK" SSLEnabled="true" SSLEngine="on" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" URIEncoding="UTF-8" allowTrace="false" clientAuth="false" enableLookups="false" maxHttpHeaderSize="32768" maxThreads="500" port="443" protocol="HTTP/1.1" scheme="https" secure="true" server="VMware Horizon DaaS"/>
備註: 第二個連接器接聽連接埠 4443。此連接埠只在租用戶和桌面管理員應用裝置上設定。
租用戶中的組態
<Connector SSLCACertificateFile="/usr/local/desktone/cert/ssl_ca_cert_file" SSLCertificateFile="/usr/local/desktone/cert/ssl_cert_file" SSLCertificateKeyFile="/usr/local/desktone/cert/ssl_cert_key_file" SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK" SSLEnabled="true" SSLEngine="on" SSLProtocol="TLSv1.1+TLSv1.2" URIEncoding="UTF-8" allowTrace="false" clientAuth="false" enableLookups="false" maxHttpHeaderSize="32768" maxThreads="500" port="4443" protocol="HTTP/1.1" scheme="https" secure="true" server="VMware Horizon DaaS"/>
備註: 第三個連接器接聽連接埠 8443。此連接埠用於應用裝置間的通訊。在上述檔案中,可在這幾行找到此元件的密碼組態。此連接埠會針對所有應用裝置 (服務提供者、資源管理員、租用戶和桌面管理員) 進行設定。
- 服務提供者中的組態
<Connector protocol="HTTP/1.1" allowTrace="false" SSLEnabled="true" port="8443" maxThreads="500" maxHttpHeaderSize="32768" scheme="https" secure="true" clientAuth="false" enableLookups="false" SSLEngine="on" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" SSLCertificateFile="/usr/local/desktone/cert/appliance_cert_file" SSLCertificateKeyFile="/usr/local/desktone/cert/appliance_key_file" SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM- SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA- AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK" server="VMware Horizon DaaS" /> - 資源管理員中的組態
<Connector SSLCertificateFile="/usr/local/desktone/cert/appliance_cert_file" SSLCertificateKeyFile="/usr/local/desktone/cert/appliance_key_file" SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK" SSLEnabled="true" SSLEngine="on" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" allowTrace="false" clientAuth="false" enableLookups="false" maxHttpHeaderSize="32768" maxThreads="500" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" server="VMware Horizon DaaS"/>
- 租用戶中的組態
<Connector SSLCertificateFile="/usr/local/desktone/cert/appliance_cert_file" SSLCertificateKeyFile="/usr/local/desktone/cert/appliance_key_file" SSLCipherSuite="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK" SSLEnabled="true" SSLEngine="on" SSLProtocol="TLSv1.1+TLSv1.2" allowTrace="false" clientAuth="false" enableLookups="false" maxHttpHeaderSize="32768" maxThreads="500" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" server="VMware Horizon DaaS"/>
備註: 修改後,請使用下列命令重新啟動應用裝置中的 tomcat 服務:sudo service dtService restart
