New Xton Documentation Center
Xton help has moved. Please visit the current version of this page for the most recent updates. Our new documentation center can be found at help.xtontech.com.
How to Harden XTAM Connectors with Strong Protocols and Ciphers
To restrict protocols and ciphers that older deployments of XTAM Server uses for SSL to TLS 1.2+ please perform the following procedure.
By default, new and recent deployments of XTAM only use TLS 1.2, but this article can still apply if the protocol needs to be modified for specific purposes.
Login to the XTAM host server with an account that has permissions to modify files and restart services. Both will be required for the successful completion of this activity.
Make a backup copy of the file $XTAM/web/conf/server.xml. We will be making a few updates to this file and if anything goes wrong, you can restore this copy from backup.
Open the file $XTAM/web/conf/server.xml in a text editor.
In the file, locate the Connector definition for the port that XTAM listens. In our example, this is port 6443 but it may be different in your instance. In this definition the following changes will be made:
- Change the current sslProtocol=”TLS” to sslProtocol=”TLSv1.2″
- Add the attribute for enabled protocols one line after sslProtocols
sslEnabledProtocols=”TLSv1.2+TLSv1.3″ - Add the attribute for enabled ciphers one line after sslEnabledProtocols
ciphers=”TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256″
Here is how the default Connection definition looks when using port 6443 (your port may be different)
<Connector
keystoreFile="${xtam.cert.path}"
keystorePass="${xtam.cert.password}"
protocol="com.pam.config.Http11NioEncryptedProtocol"
port="6443" maxThreads="200" proxyPort="443"
scheme="https" secure="true" SSLEnabled="true"
sslProtocol="TLS"
clientAuth="false" keystoreType="JKS"/>
And here is how the updated Connection definition will look when using port 6443 (your port may be different)
<Connector
keystoreFile="${xtam.cert.path}"
keystorePass="${xtam.cert.password}"
protocol="com.pam.config.Http11NioEncryptedProtocol"
port="6443" maxThreads="200" proxyPort="443"
scheme="https" secure="true" SSLEnabled="true"
sslProtocol="TLSv1.2"
sslEnabledProtocols="TLSv1.2+TLSv1.3"
ciphers="TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
clientAuth="false" keystoreType="JKS"/>
After you have made and confirmed your changes, save and close this file.
Finally, restart the PamManagement (Windows) or pammanager (Linux) service to complete the procedure.
This change will make the XTAM SSL termination only operate on these enabled protocols. If XTAM is accessed through a load balancer, similar changes should be made on the load balancer according to its documentation.
To configure the SSH Proxy Security Algorithms
To select specific Key Exchange, Message Authentication Code (MACs) and Cipher algorithms used by the SSH Proxy client connection and to remove weak algorithms the SSH Proxy is using to negotiate connections use the global parameters mentioned below.
Located in Administration > Settings > Parameters:
- SSH Proxy Ciphers
- SSH Proxy Key Exchange Algorithms
- SSH Proxy Macs
Please review the Context Help button for each option in the XTAM interface for descriptions.