Skip to content

Update security guideline documentation #6029

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hwupathum wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Update security guideline documentation #6029

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
63552f5
Update security guideline documentation
hwupathum Mar 31, 2026
7fcb778
Remove JVM Param section
hwupathum Mar 31, 2026
9789022
Add guideline to disable HTTP transport
hwupathum Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 5 additions & 37 deletions ...dentity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,52 +17,20 @@

2. Restart the server.

## Disable weak ciphers
## Configure cipher suites

A cipher is an algorithm for performing encryption or decryption. When the `sslprotocol` is set to `TLS`, only the TLS and default ciphers are enabled by default. However, note that the strength of the ciphers will not be considered when they are enabled.
By default, all SSL ciphers supported by JSSE are enabled. To restrict the server to a specific set of secure cipher suites, explicitly configure the `ciphers` property. If left blank, weak ciphers (including EXPORT ciphers) will also be available, which can make the server vulnerable to attacks such as the Logjam attack.

This is a security risk as weak ciphers, also known as EXPORT ciphers, can make your system vulnerable to attacks such as the Logjam attack on Diffie-Hellman key exchange.
1. Use the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=tomcat&version=9.0.58&config=intermediate&guideline=5.6){:target="_blank"} to get a recommended list of cipher suites for your Tomcat version and security profile.

Therefore, to disable the weak ciphers, you must ensure that only the ciphers you want your server to support are entered as the `ciphers` attribute in the comma-separated list. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, thereby enabling the weak ciphers.

1. Navigate to the `deployment.toml` file in the `<IS_HOME>/repository/conf` directory.

2. Take a backup of the `deployment.toml` file and stop the WSO2 IS server.

3. Add the following configuration to the `deployment.toml` file by adding the list of ciphers that you want your server to support as follows:

!!! note
For a list of cipher suites that are secure and functional in Tomcat for the TLSv1.2 and TLSv1.3 protocols, see the list of ciphers provided in the [secure configuration generator](https://ssl-config.mozilla.org/#server=tomcat&version=9.0.58&config=intermediate&guideline=5.6){:target="_blank"}, which the Mozilla Foundation provides.
2. Add the selected ciphers as a comma-separated list to the `<IS_HOME>/repository/conf/deployment.toml` file:

```toml
[transport.https.sslHostConfig.properties]
ciphers="<cipher-name>,<cipher-name>"
```

4. Start the server.

5. To verify that the configurations are all set correctly, download and run the [TestSSLServer.jar]({{base_path}}/assets/attachments/TestSSLServer.jar).

``` java
$ java -jar TestSSLServer.jar localhost 9443
```

!!! note
Note the following when you run `TestSSLServer.jar` :

- The "Supported cipher suites" section in the output does not contain any EXPORT ciphers.

- When you use the supported cipher suites, the BEAST attack status will be shown as vulnerable. This is a client-side vulnerability caused by the TLSv1 protocol. You can protect the BEAST status by removing TLSv1, which will make clients with TLSv1 unusable. Therefore, it is recommended to resolve this on the client side.

From **Firefox 39.0** onwards, the browser does not allow access to websites that support DHE with keys less than `1023` bits (not just `DHE\_EXPORT`). `768/1024` bits are considered too small and vulnerable to attacks if the hacker has enough computing resources.

!!! tip
To use AES-256, the Java JCE Unlimited Strength Jurisdiction Policy files need to be installed. Download them from [here](http://www.oracle.com/technetwork/java/javase/downloads/index.html){:target="_blank"}.

From Java 7, you must set the `jdk.certpath.disabledAlgorithms` property in the `<JAVA_HOME>/jre/lib/security/java.security` file to `jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048`. It rejects all algorithms that have key sizes less than `2048` for `MD2`, `DSA`, and `RSA`.

!!! note
This tip is not applicable when disabling weak ciphers in the WSO2 Identity Server.
3. Restart the server.

## Enable SSL protocols and ciphers in ThriftAuthenticationService

Expand All @@ -87,7 +55,7 @@

If you wish to remove `TLSv1` or `TLSv1.1`, you can do so by removing them as values from the `<SSLEnabledProtocols>` property.


Check failure on line 58 in en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md

View workflow job for this annotation

GitHub Actions / lint

Multiple consecutive blank lines 

en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md:58 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md012.md
2. Restart the server.

## Change the server name in HTTP response headers
Expand All @@ -97,7 +65,7 @@
1. Open the `<IS_HOME>/repository/conf/deployment.toml` file.
2. Add a new server name by adding the following property under the relevant Tomcat connector configuration.

```

Check failure on line 68 in en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md

View workflow job for this annotation

GitHub Actions / lint

Fenced code blocks should have a language specified 

en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md:68 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md040.md
[transport.https.properties]
server="WSO2 WSO2 IS server"
[transport.http.properties]
Expand All @@ -106,7 +74,7 @@

## Enable/disable http/https transport

By default, both the `http` and `https` connectors are enabled. To disable either the `http` or `https` connector, add the corresponding configuration to `<IS_HOME>/repository/conf/deployment.toml` as shown below.

Check failure on line 77 in en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md

View workflow job for this annotation

GitHub Actions / lint

Trailing spaces 

en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md:77:214 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md009.md

```toml
[transport]
Expand Down
42 changes: 5 additions & 37 deletions ...dentity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,52 +17,20 @@

2. Restart the server.

## Disable weak ciphers
## Configure cipher suites

A cipher is an algorithm for performing encryption or decryption. When the `sslprotocol` is set to `TLS`, only the TLS and default ciphers are enabled by default. However, note that the strength of the ciphers will not be considered when they are enabled.
By default, all SSL ciphers supported by JSSE are enabled. To restrict the server to a specific set of secure cipher suites, explicitly configure the `ciphers` property. If left blank, weak ciphers (including EXPORT ciphers) will also be available, which can make the server vulnerable to attacks such as the Logjam attack.
Copy link
Copy Markdown
Contributor

@himeshsiriwardana himeshsiriwardana Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
By default, all SSL ciphers supported by JSSE are enabled. To restrict the server to a specific set of secure cipher suites, explicitly configure the `ciphers` property. If left blank, weak ciphers (including EXPORT ciphers) will also be available, which can make the server vulnerable to attacks such as the Logjam attack.
By default, {{product_name}} allows all SSL ciphers supported by JSSE. To restrict the server to a specific set of secure cipher suites, you can configure the `ciphers` property. If left blank, weak ciphers (including EXPORT ciphers) will also be available, which can make the server vulnerable to attacks such as the Logjam attack.

Copy link
Copy Markdown
Contributor

@himeshsiriwardana himeshsiriwardana Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add reference links for JSSE and Logkam attack.


This is a security risk as weak ciphers, also known as EXPORT ciphers, can make your system vulnerable to attacks such as the Logjam attack on Diffie-Hellman key exchange.
1. Use the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=tomcat&version=9.0.58&config=intermediate&guideline=5.6){:target="_blank"} to get a recommended list of cipher suites for your Tomcat version and security profile.

Therefore, to disable the weak ciphers, you must ensure that only the ciphers you want your server to support are entered as the `ciphers` attribute in the comma-separated list. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, thereby enabling the weak ciphers.

1. Navigate to the `deployment.toml` file in the `<IS_HOME>/repository/conf` directory.

2. Take a backup of the `deployment.toml` file and stop the WSO2 IS server.

3. Add the following configuration to the `deployment.toml` file by adding the list of ciphers that you want your server to support as follows:

!!! note
For a list of cipher suites that are secure and functional in Tomcat for the TLSv1.2 and TLSv1.3 protocols, see the list of ciphers provided in the [secure configuration generator](https://ssl-config.mozilla.org/#server=tomcat&version=9.0.58&config=intermediate&guideline=5.6){:target="_blank"}, which the Mozilla Foundation provides.
2. Add the selected ciphers as a comma-separated list to the `<IS_HOME>/repository/conf/deployment.toml` file:

```toml
[transport.https.sslHostConfig.properties]
ciphers="<cipher-name>,<cipher-name>"
```

4. Start the server.

5. To verify that the configurations are all set correctly, download and run the [TestSSLServer.jar]({{base_path}}/assets/attachments/TestSSLServer.jar).

``` java
$ java -jar TestSSLServer.jar localhost 9443
```

!!! note
Note the following when you run `TestSSLServer.jar` :

- The "Supported cipher suites" section in the output does not contain any EXPORT ciphers.

- When you use the supported cipher suites, the BEAST attack status will be shown as vulnerable. This is a client-side vulnerability caused by the TLSv1 protocol. You can protect the BEAST status by removing TLSv1, which will make clients with TLSv1 unusable. Therefore, it is recommended to resolve this on the client side.

From **Firefox 39.0** onwards, the browser does not allow access to websites that support DHE with keys less than `1023` bits (not just `DHE\_EXPORT`). `768/1024` bits are considered too small and vulnerable to attacks if the hacker has enough computing resources.

!!! tip
To use AES-256, the Java JCE Unlimited Strength Jurisdiction Policy files need to be installed. Download them from [here](http://www.oracle.com/technetwork/java/javase/downloads/index.html).

From Java 7, you must set the `jdk.certpath.disabledAlgorithms` property in the `<JAVA_HOME>/jre/lib/security/java.security` file to `jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048`. It rejects all algorithms that have key sizes less than `2048` for `MD2`, `DSA`, and `RSA`.

!!! note
This tip is not applicable when disabling weak ciphers in the WSO2 Identity Server.
3. Restart the server.

## Enable SSL protocols and ciphers in ThriftAuthenticationService

Expand All @@ -87,7 +55,7 @@

If you wish to remove `TLSv1` or `TLSv1.1`, you can do so by removing them as values from the `<SSLEnabledProtocols>` property.


Check failure on line 58 in en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md

View workflow job for this annotation

GitHub Actions / lint

Multiple consecutive blank lines 

en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md:58 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md012.md
2. Restart the server.

## Change the server name in HTTP response headers
Expand All @@ -97,7 +65,7 @@
1. Open the `<IS_HOME>/repository/conf/deployment.toml` file.
2. Add a new server name by adding the following property under the relevant Tomcat connector configuration.

```

Check failure on line 68 in en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md

View workflow job for this annotation

GitHub Actions / lint

Fenced code blocks should have a language specified 

en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md:68 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md040.md
[transport.https.properties]
server="WSO2 WSO2 IS server"
[transport.http.properties]
Expand All @@ -106,7 +74,7 @@

## Enable/disable http/https transport

By default, both the `http` and `https` connectors are enabled. To disable either the `http` or `https` connector, add the corresponding configuration to `<IS_HOME>/repository/conf/deployment.toml` as shown below.

Check failure on line 77 in en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md

View workflow job for this annotation

GitHub Actions / lint

Trailing spaces 

en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md:77:214 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md009.md

```toml
[transport]
Expand Down
42 changes: 5 additions & 37 deletions ...dentity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,52 +17,20 @@

2. Restart the server.

## Disable weak ciphers
## Configure cipher suites

A cipher is an algorithm for performing encryption or decryption. When the `sslprotocol` is set to `TLS`, only the TLS and default ciphers are enabled by default. However, note that the strength of the ciphers will not be considered when they are enabled.
By default, all SSL ciphers supported by JSSE are enabled. To restrict the server to a specific set of secure cipher suites, explicitly configure the `ciphers` property. If left blank, weak ciphers (including EXPORT ciphers) will also be available, which can make the server vulnerable to attacks such as the Logjam attack.

This is a security risk as weak ciphers, also known as EXPORT ciphers, can make your system vulnerable to attacks such as the Logjam attack on Diffie-Hellman key exchange.
1. Use the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=tomcat&version=9.0.58&config=intermediate&guideline=5.6){:target="_blank"} to get a recommended list of cipher suites for your Tomcat version and security profile.

Therefore, to disable the weak ciphers, you must ensure that only the ciphers you want your server to support are entered as the `ciphers` attribute in the comma-separated list. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, thereby enabling the weak ciphers.

1. Navigate to the `deployment.toml` file in the `<IS_HOME>/repository/conf` directory.

2. Take a backup of the `deployment.toml` file and stop the WSO2 IS server.

3. Add the following configuration to the `deployment.toml` file by adding the list of ciphers that you want your server to support as follows:

!!! note
For a list of cipher suites that are secure and functional in Tomcat for the TLSv1.2 and TLSv1.3 protocols, see the list of ciphers provided in the [secure configuration generator](https://ssl-config.mozilla.org/#server=tomcat&version=9.0.58&config=intermediate&guideline=5.6){:target="_blank"}, which the Mozilla Foundation provides.
2. Add the selected ciphers as a comma-separated list to the `<IS_HOME>/repository/conf/deployment.toml` file:

```toml
[transport.https.sslHostConfig.properties]
ciphers="<cipher-name>,<cipher-name>"
```

4. Start the server.

5. To verify that the configurations are all set correctly, download and run the [TestSSLServer.jar]({{base_path}}/assets/attachments/TestSSLServer.jar).

``` java
$ java -jar TestSSLServer.jar localhost 9443
```

!!! note
Note the following when you run `TestSSLServer.jar` :

- The "Supported cipher suites" section in the output does not contain any EXPORT ciphers.

- When you use the supported cipher suites, the BEAST attack status will be shown as vulnerable. This is a client-side vulnerability caused by the TLSv1 protocol. You can protect the BEAST status by removing TLSv1, which will make clients with TLSv1 unusable. Therefore, it is recommended to resolve this on the client side.

From **Firefox 39.0** onwards, the browser does not allow access to websites that support DHE with keys less than `1023` bits (not just `DHE\_EXPORT`). `768/1024` bits are considered too small and vulnerable to attacks if the hacker has enough computing resources.

!!! tip
To use AES-256, the Java JCE Unlimited Strength Jurisdiction Policy files need to be installed. Download them from [here](http://www.oracle.com/technetwork/java/javase/downloads/index.html).

From Java 7, you must set the `jdk.certpath.disabledAlgorithms` property in the `<JAVA_HOME>/jre/lib/security/java.security` file to `jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048`. It rejects all algorithms that have key sizes less than `2048` for `MD2`, `DSA`, and `RSA`.

!!! note
This tip is not applicable when disabling weak ciphers in the WSO2 Identity Server.
3. Restart the server.

## Enable SSL protocols and ciphers in ThriftAuthenticationService

Expand All @@ -87,7 +55,7 @@

If you wish to remove `TLSv1` or `TLSv1.1`, you can do so by removing them as values from the `<SSLEnabledProtocols>` property.


Check failure on line 58 in en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md

View workflow job for this annotation

GitHub Actions / lint

Multiple consecutive blank lines 

en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md:58 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md012.md
2. Restart the server.

## Change the server name in HTTP response headers
Expand All @@ -97,7 +65,7 @@
1. Open the `<IS_HOME>/repository/conf/deployment.toml` file.
2. Add a new server name by adding the following property under the relevant Tomcat connector configuration.

```

Check failure on line 68 in en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md

View workflow job for this annotation

GitHub Actions / lint

Fenced code blocks should have a language specified 

en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md:68 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md040.md
[transport.https.properties]
server="WSO2 WSO2 IS server"
[transport.http.properties]
Expand All @@ -106,7 +74,7 @@

## Enable/disable http/https transport

By default, both the `http` and `https` connectors are enabled. To disable either the `http` or `https` connector, add the corresponding configuration to `<IS_HOME>/repository/conf/deployment.toml` as shown below.

Check failure on line 77 in en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md

View workflow job for this annotation

GitHub Actions / lint

Trailing spaces 

en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md:77:214 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md009.md

```toml
[transport]
Expand Down
55 changes: 19 additions & 36 deletions en/identity-server/next/docs/deploy/security/configure-transport-level-security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,52 +17,35 @@

2. Restart the server.

## Disable weak ciphers
## Configure cipher suites

A cipher is an algorithm for performing encryption or decryption. When the `sslprotocol` is set to `TLS`, only the TLS and default ciphers are enabled by default. However, note that the strength of the ciphers will not be considered when they are enabled.
The following cipher suites are enabled by default:

This is a security risk as weak ciphers, also known as EXPORT ciphers, can make your system vulnerable to attacks such as the Logjam attack on Diffie-Hellman key exchange.
| Cipher Suite | TLS Version |
|---|---|
| `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` | TLS 1.2 |
| `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` | TLS 1.2 |
| `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` | TLS 1.2 |
| `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` | TLS 1.2 |
| `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` | TLS 1.2 |
| `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` | TLS 1.2 |
| `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256` | TLS 1.2 |
| `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` | TLS 1.2 |
| `TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256` | TLS 1.2 |
| `TLS_AES_128_GCM_SHA256` | TLS 1.3 |
| `TLS_AES_256_GCM_SHA384` | TLS 1.3 |
| `TLS_CHACHA20_POLY1305_SHA256` | TLS 1.3 |

Therefore, to disable the weak ciphers, you must ensure that only the ciphers you want your server to support are entered as the `ciphers` attribute in the comma-separated list. Also, if you do not add this cipher attribute or keep it blank, all SSL ciphers by JSSE will be supported by your server, thereby enabling the weak ciphers.
To override the default cipher suites, use the [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/#server=tomcat&version=9.0.58&config=intermediate&guideline=5.6){:target="_blank"} to select a cipher list suitable for your Tomcat version and security profile, then configure it as follows:

1. Navigate to the `deployment.toml` file in the `<IS_HOME>/repository/conf` directory.

2. Take a backup of the `deployment.toml` file and stop the WSO2 IS server.

3. Add the following configuration to the `deployment.toml` file by adding the list of ciphers that you want your server to support as follows:

!!! note
For a list of cipher suites that are secure and functional in Tomcat for the TLSv1.2 and TLSv1.3 protocols, see the list of ciphers provided in the [secure configuration generator](https://ssl-config.mozilla.org/#server=tomcat&version=9.0.58&config=intermediate&guideline=5.6){:target="_blank"}, which the Mozilla Foundation provides.
1. Add the selected ciphers as a comma-separated list to the `<IS_HOME>/repository/conf/deployment.toml` file:

```toml
[transport.https.sslHostConfig.properties]
ciphers="<cipher-name>,<cipher-name>"
```

4. Start the server.

5. To verify that the configurations are all set correctly, download and run the [TestSSLServer.jar]({{base_path}}/assets/attachments/TestSSLServer.jar).

``` java
$ java -jar TestSSLServer.jar localhost 9443
```

!!! note
Note the following when you run `TestSSLServer.jar` :

- The "Supported cipher suites" section in the output does not contain any EXPORT ciphers.

- When you use the supported cipher suites, the BEAST attack status will be shown as vulnerable. This is a client-side vulnerability caused by the TLSv1 protocol. You can protect the BEAST status by removing TLSv1, which will make clients with TLSv1 unusable. Therefore, it is recommended to resolve this on the client side.

From **Firefox 39.0** onwards, the browser does not allow access to websites that support DHE with keys less than `1023` bits (not just `DHE\_EXPORT`). `768/1024` bits are considered too small and vulnerable to attacks if the hacker has enough computing resources.

!!! tip
To use AES-256, the Java JCE Unlimited Strength Jurisdiction Policy files need to be installed. Download them from [here](http://www.oracle.com/technetwork/java/javase/downloads/index.html).

From Java 7, you must set the `jdk.certpath.disabledAlgorithms` property in the `<JAVA_HOME>/jre/lib/security/java.security` file to `jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048`. It rejects all algorithms that have key sizes less than `2048` for `MD2`, `DSA`, and `RSA`.

!!! note
This tip is not applicable when disabling weak ciphers in the WSO2 Identity Server.
2. Restart the server.

## Enable SSL protocols and ciphers in ThriftAuthenticationService

Expand All @@ -87,7 +70,7 @@

If you wish to remove `TLSv1` or `TLSv1.1`, you can do so by removing them as values from the `<SSLEnabledProtocols>` property.


Check failure on line 73 in en/identity-server/next/docs/deploy/security/configure-transport-level-security.md

View workflow job for this annotation

GitHub Actions / lint

Multiple consecutive blank lines 

en/identity-server/next/docs/deploy/security/configure-transport-level-security.md:73 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2] https://github.com/DavidAnson/markdownlint/blob/v0.38.0/doc/md012.md
2. Restart the server.

## Change the server name in HTTP response headers
Expand Down
Loading
Loading