vCommander is installed with the tomcat web server and employs Secure Sockets Layer (SSL) to provide clients with secure connections. Over time, the security standards change as less secure protocols/ciphers are abandoned or disallowed by web browsers or operational standards, and new security exploits are discovered and reported. As this occurs Embotics strengthens the configuration of vCommander's tomcat server for each new release.
However, Embotics does not update existing tomcat configuration on upgrade, to protect against overwriting any customizations you may have already made. As such, it becomes necessary to make the modifications yourself. This article shows you how to:
- Ensure that your upgraded vCommander uses the most secure ciphers and protocols
- Enabled vCommander and the Service Portal to be used with Internet Explorer 10
Editing the Server.xml File
The tomcat web server is configured for security using the server.xml file. Follow the procedure below to modify the contents of the file.
- Login to the vCommander application server.
- Using a text editor, open the file \<install_dir>\embotics\vcommander\tomcat\conf\server.xml .
- Refer to the sections below to understand what are appropriate edits for your environment. Make these edits, and then save the file.
- Restart the vCommander Windows service.
If you simply want to ensure you are as secure as possible, instead of editing the server.xml file, you can overwrite it and then restart. The current default file is zipped and attached to this article.
In the server.xml file, the content sslEnabledProtocols-"TLSv1.2" defines which protocols are allowed when connecting to the web service.
As of vCommander 5.7.8, new installations will only permit the strongest protocol, TLSv1.2. This means that Internet Explorer 10 will no longer connect successfully, as it relies on less secure protocols. To allow Internet Explorer 10 to continue to connect to vCommander, replace this content with the following:
As a best practice, Embotics recommends upgrading customers who are not required to use Internet Explorer 10 enhance their security by updating the server.xml file to match the default vCommander 5.7.8 contents, as shown below:
In the server.xml file, the content ciphers="..." defines which ciphers are allowed when connecting to the web service.
As of vCommander 5.7.8, new installations will only permit the strongest ciphers, most recently removing those associated with the following vulnerabilities:
As a best practice, Embotics recommends upgrading customers enhance their security by updating the server.xml file to match the default vCommander 5.7.8 contents: