How to configure CipherSuite used for SA Server/Jetty Server
Originally Published: 2014-10-23
Article Number
Applies To
Issue
The cipher suite is configurable via jetty configuration files.
Tasks
2. Restart jetty server to make change take effect
Resolution
[root@saserver etc]# cat /etc/init/jettysrv.conf # start/stop/respawn jetty server start on runlevel [3] stop on runlevel [!3] console none exec /opt/rsa/jetty9/bin/jetty.sh run pre-start script if [ -d /var/lib/netwitness/jetty/uax ] && ! [ -d /var/lib/netwitness/uax/logs ]; then mkdir -p /var/lib/netwitness/uax/logs fi end script pre-stop script if [[ `ps x | grep "/usr/bin/java.*-jar /opt/rsa/jetty9/start.jar"` ]]; then exec /opt/rsa/jetty9/bin/jetty.sh stop fi end script respawn respawn limit 10 5
On above example, the jetty home directory is /opt/rsa/jetty9/
2. Goto the jetty home directory, find the ssl configuration file. (etc/jetty-ssl.xml)
3. By default, in the configuration contains cipher configuration entries:
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
</Array>
</Set>
Those are ciphersuites that are not used by jetty server.
To see a complete list of ciphers, consult this URL:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
4. Make a backup of original xml file then modify cipher configuration section according to your requirement, you can either exclude more ciphers or use "<Set name="IncludeCipherSuites">" to only include ciphers configured here.
Below is an example for include ciphers. (NOTE, if you need to include, remove the entire exclude section first.)
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
<Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
</Array>
</Set>
Another example for only disabling all the SSLv3 and lower cipher suites:
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_RC4_128_MD5</Item>
<Item>SSL_RSA_WITH_RC4_128_SHA</Item>
<Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_RSA_WITH_NULL_MD5</Item>
<Item>SSL_RSA_WITH_NULL_SHA</Item>
<Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
<Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
<Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
<Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>
</Array>
</Set>
5. Restart the jettysrve service with the following commands:
restart jerttysrv
or
stop jettysrv followed by start jettysrv
Related Articles
How to close ports used by the RSA Authentication Agent to block SSLv3 communication to RSA Authentication Manager 8.x Number of Views RSA Authentication Manager 8.9 RADIUS Reference Guide Number of Views Citrix Netscaler Version 11 device is not able to process NEW PIN post migration from RSA Authentication Manager 7.1 to AM… Number of Views RSA Authentication Manager 8.5 Identity Router enablement did not succeed, fails to download Number of Views Add an Identity Source Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
