Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation [2019/11/26 09:00]
fiserp [Tomcat] 		tutorial:adm:server_preparation [2019/11/28 13:26]
fiserp [Disabling mod_security rules]
Line 639: Line 639:
 To do so, add following lines to the virtualhost config file (ssl.conf): To do so, add following lines to the virtualhost config file (ssl.conf):
 <code> <code>
-  RewriteEngine On +RewriteEngine On 
-  RewriteRule "^/$"  "/idm/" [R] +RewriteRule "^/$"  "/idm/" [R] 
 </code> </code>
  
-In the file ssl.conf we also have to disable SSLv3. Edit the line with SSLProtocol directive:+We also have to secure the communication**Edit** corresponding lines in ''ssl.conf'' so they look like this.
 <code> <code>
-SSLProtocol all -SSLv2 -SSLv3+SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 
 +SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4:!3DES+SHA:!IDEA 
 +SSLHonorCipherOrder on
 </code> </code>
 +<note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM. If this is your case, you may need to slacken the cipher settings a bit.</note>
  
 On Debian, create symlinks to sites-enabled: On Debian, create symlinks to sites-enabled:
Line 713: Line 716:
         # These break Certificate Authority module         # These break Certificate Authority module
  <Location "/idm/api/v1/crt/certificates/action/validate">  <Location "/idm/api/v1/crt/certificates/action/validate">
 + SecRuleRemoveById 960915
 + SecRuleRemoveById 200003
 + </Location>
 +
 + # Modsec can throw false positives on some files due to multipart boundary check
 + <Location "/idm/api/v1/attachments/upload">
  SecRuleRemoveById 960915  SecRuleRemoveById 960915
  SecRuleRemoveById 200003  SecRuleRemoveById 200003
  • by koulaj