Skip to main content
Kofax

How to disable TLS 1.0/1.1 communication for DWS

Article # 3029705 - Page views: 145

Question / Problem:

Security scanning tool shows TLS 1.0/1.1 as vulnerability of the DWS service.
 

Answer / Solution:

Edit the DWS server.xml to configure the secure protocols it should use.

In C:\Windows\System32\config\systemprofile\AppData\Local\Nuance\Integrated\DWS\webserver\conf\server.xml, you can find the string: <Connector SSLEnabled="true" allowUnsafeLegacyRenegotiation="true" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256" clientAuth="false" customerModifiedCiphers="false" enableLookups="false" equitracPrimaryPort="true" executor="nuanceThreadPool" keystoreFile="C:\Windows\system32\config\systemprofile\AppData\Local\Nuance\Integrated\DWS\webserver\conf\dws-server-key.jks" keystorePass="DNH9PSYIIIhHuEkObwm04Q==" maxHttpHeaderSize="32768" maxThreads="150" parseBodyMethods="POST, PUT" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" server="DWS" sslEnabledProtocols="+TLSv1+TLSv1.1+TLSv1.2+SSLv2Hello"/>

Remove TLSv1 & TLSv1.1 from the end of the above string then DWS won't use TLS 1.0 & 1.1.

 

Note:

DWS does not use the Windows SCHANNEL API for doing secure communication, but uses the Java implementation. This means that any changes done in the Windows registry for enabling/disabling ciphers and protocols (manually or using IISCrypto) will NOT affect DWS, it will only affect native executables like CAS/DCE/DRE/DCS etc.

For the Java-based components like DWS, it uses its own server.xml file.

Applies to:  

Product Version
ControlSuite 1.x
Equitrac 5.x