Updating Tomcat

[Victor Congionti]

Hello - I've noticed I was several versions back on my Apache Tomcat and I would like to know the easiest way to upgrade without impact the installation of OpenEsign forms? Thanks in advance!

[Victor Congionti]

At the same time I would also like to update Java as well. What's the maximum version of these products that esign forms supports?

[Open eSignForms]

The latest version of everything supported is listed here:

http://open.esignforms.com/thirdPartySoftware.jsp

In general, we've rarely found an issue with our technology based on an upgrade of Java, Tomcat, Linux or PostgreSQL.  Of course, sometimes there are changes to the settings in those applications, but generally not because it's needed by OpenESF itself.

[Victor Congionti]

Thank you for your prompt reply. How would one go about upgrading Tomcat to the latest version on the server? Do I simply uninstall the old one and install version 8.0? I'm worried that it's tied to certain configs in openEsf. 

I see that 7.0 doesn't support some of the more secure cipher suites. 

[Open eSignForms]

On Sunday, January 11, 2015 at 6:59:47 PM UTC-8, Victor Congionti wrote:

Thank you for your prompt reply. How would one go about upgrading Tomcat to the latest version on the server? Do I simply uninstall the old one and install version 8.0? I'm worried that it's tied to certain configs in openEsf. 

I see that 7.0 doesn't support some of the more secure cipher suites. 

In general, we would install the next version in parallel.  Get the new one setup, and then update the 'profile' script that points to the current version.  That will make it easier to fall back if you need to.  Once the new setup is running satisfactorily for some time, we then would remove the previous version.  When doing major version changes, we typically change our softlinks from ~/tomcat/tomcat7.0 to ~/tomcat/tomcat8.0 and have it point to the actual version installed.  This way, if upgrading a point release, you can just install and change the softlink without needing to make any changes to the profile scripts, etc.

Cipher suites should be controlled by Java, not Tomcat, as Tomcat just uses Java SSL.  You can see our installation instructions for details on how we set them up.

What secure cipher suites are you looking to add?  We periodically check our SSL to ensure we don't have any weak ones enabled (hence the cipher list we use now, but we didn't upgrade that list since upgrading to Java 8, and perhaps we ought to).

[Open eSignForms]

A quick review of the ciphers in Java 8 with just the default crypto (you'll always want the high strength crypto added for OpenESF and for TLS):

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

indicate that the only new ones that are secure (via TLS 1.2) are probably AES+GCM:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384						X
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256						X
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384						X
TLS_RSA_WITH_AES_256_GCM_SHA384						X
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384						X
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384						X
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384						X
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384						X
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256						X
TLS_RSA_WITH_AES_128_GCM_SHA256						X
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256						X
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256						X
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256						X
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256						X