WHD also works with ciphers="TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA” with an "A-" grade
Worked like a charm.
Had to modify mine so WHD would start: ciphers="TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256" Still A- grade on qualys ssl test.
WebHelpDesk version 12.3 has a hotfix 1 and it includes instructions for changing the ciphers.
Obviously all users will experience the problem. Because there are various version of WHD in production I would have expect that Solarwinds will provide a clear list of instructions of what needs to be done to sort this issue out.
I will open a support ticket for this issue too and maybe everybody should do the same. Hopefully this would trigger Solarwinds to put up solution instructions for their WHD customers.
There was a KB already written for disabling SSLv3 and enabling TLS on the link below:
From that KB, you only need to do the following:
- Download and install Java 7, as described in:
- Stop Web Help Desk.
- Add a path to the newly installed Java Runtime Environment (JRE) to the line starting with JAVA_HOME in the Web Help Desk configuration file, whd.conf:
- For JRE installed into the /opt/jre7 folder, the path should contain:JAVA_HOME=/opt/jre7
- For JRE installed into the C:\Program Files\Java\jre7 folder, the path should contain: JAVA_HOME= C:\Progra~1\Java\jre7
- Add the Unlimited Cryptography libraries for Java 7, fromhttp://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
- Unzip and copy the files below to /lib/security:
- Restart Web Help Desk.
Is installing Java 7 manually still necessary if you are running 12.2 as this version and newer run on Java 7_45 already.
Java 6 and below due to support of SSLv3 and no complete support for TLS 1.1 and TLS 1.2
We are currently using WHD 11.0.4. Unfortunately your solutions don't appear to be working for us. Do you have any other suggestions?
Also, yes I realize we may need to update soon.
Unfortunately, I don't think there is a way to fix it in WHD 11.0.4. You may at least upgrade to 12.1. Although I have not tried running WHD 11.0.4 in JRE7 but I am a bit sure that it will not run due to the Tomcat version included.
uwsguy01 can you please try the following? I have tested this one out on WHD 11.2.1 so this might work:
This solves the issue with older version of WebHelpDesk (WHD 11.2.1, WHD 12.0.1, WHD 12.1.0):
1. stop WHD services.
2. download Java SE Runtime Environment 7u45 (jre-7u45-windows-x64.exe) in the archives of Oracle:
3. install the Java 7 and change the install directory to "C:\Program Files\Java\jre745" (make a new folder).
4. download the Java Cryptography Extension (JCE) in the following location:
5. extract the JCE and copy the following files:
6. place the JCE files in the Java install directory:
7. download Tomcat 7.0.63 in the following link:
8. extract the Tomcat files, copy everything and replace the WHD Tomcat files in the following location:
9. edit the tomcat_server_template.xml with a text editor and look for the line:
10. replace the next line with the following:
<Connector port="@@@WEBHELPDESK_SSL_PORT@@@" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" sslProtocol="TLS"
11. edit the C:\Program Files\WebHelpDesk\conf\whd.conf file and change the JAVA_HOME with the following:
12. start WHD services.
Hope this helps.
Thank you for your reply.
I've tried the changes that you have suggested and after starting WHD services back up I was unable to connect to the wedsite.
I then stopped the services and restored the files in C:\Program Files\WebHelpDesk\bin\tomcat\ . Now the website works again. All the other changes that you have suggested are still being applied, but I'm still using my old "tomcat" folder/files. The tomcat files that extracted from http://mirror.nus.edu.sg/apache/tomcat/tomcat-7/v7.0.63/bin/apache-tomcat-7.0.63-windows-x64.zip seem to be the issue.
Am I missing a step?
Thanks for your help!
Can you have it upgraded to atleast 11.2.1 because haven't tested this fix yet on 11.0.4?:
Below are the download links based on the bit version (Windows) for WHD 11.2.1:
If upgrading it is not possible, try downloading a lower version of Tomcat, perhaps 7.0.50.
Thanks again for your reply.
We were unable to update to 11.2.1 as our licenses have expired. (We are considering our options for ticketing systems).
I've tried downloading Tomcat 7.0.50, but we still have the issue. It seems any version except the version of tomcat we have breaks the site somehow. With this version of tomcat however I am sent to the helpdesk re-direct page and then I'm re-directed to the "secure connection failed" error.
Thanks for your help.
This is a great and working solution for WHD 11.2.1 indeed! Here, you hit 2 good upgrades, the Java 7 with full TLS support and Tomcat 7.0.63.
remove the following:
from the list of ciphers if you get the following rate from SSLLabs scan result:
This server uses RC4 with modern browsers. Grade capped to C.