On Secure Bridge Setup, you can find operational concepts for a secure Bridge setup. Find here some additional security recommendations to consider for E2E Bridge hardening.
Disabling TLS 1.0
If you do not have any clients that need TLS 1.0, we recommend to disable this protocol for the E2E Bridge from the security point of view. To be downwards compatible with MagicDraw 17 (see note), we did not implement this to the standard Bridge installation.
To do disable TLS 1.0, you have to edit the Tomcat and Apache configuration files of the E2E Bridge as shown in the table below.
Location | Attribute/Property | Example | Notes | |
---|---|---|---|---|
Tomcat | <your Bridge programs directory>/servlets/conf/server-dist.xml
| sslEnabledProtocols | sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv2Hello" sslEnabledProtocols="TLSv1.2,TLSv1.1,SSLv2Hello" | This file will get overwritten on Bridge updates! The old configuration file is copied to server.xml.old. So, after an E2E Bridge update re-apply the changes from the backup copy of the file. |
Apache | <your Bridge data directory>/proxies/templates/httpd.conf | SSLProtocol | SSLProtocol All -SSLv2 -SSLv3 SSLProtocol All -SSLv2 -SSLv3 -TLSv1 | Copy the Apache templates that have been provided with your Bridge installation from folder <your Bridge data directory>/proxies/system_templates to folder <your Bridge data directory>/proxies/templates and modify the copy. The actually used file <your Bridge data directory>/proxies/conf/httpd.conf is generated from this template file on Bridge shut-down. The Bridge will generate the configuration from the file in folder templates if available. If not, the Bridge will use the system templates. |
Steps
- Apply changes to the three files as described above. Consider the notes!
- Restart the E2E Bridge to apply the changed Apache configuration from the template file.