- Product: Apache for Ex Libris products
- Product Version: N/A
- Relevant for Installation Type: Local
In order to align with industry best practice and to practice high security standards, Ex Libris has developed a best practice configurations for enabling and maintaining the Apache TLS setup.
For all hosted environments this will be handled by Ex Libris cloud team and no modifications are required by the customer side for any of Ex Libris products.
For non-hosted environments
, Ex Libris highly recommends that all customers that run secure connections via TLS follow the path of disabling old TLS protocols and ciphers, below you will find a guide of how to disable this on Ex Libris based Apache applications.
Note: If your institution utilizes a Load Balancer/Proxy that proxies all traffic to internal services, then these changes should be carried out on the Load balancer level, please have your IT contact the Load balancer vendor for detailed instruction how to perform this change.
- It is highly recommended to test this configuration on a sandbox environment before applying to the production environment.
- Make sure to backup any file that is being modified in case there is a need to revert
These changes are based on the Mozilla SSL configuration recommendation (Link).
The configuration below should be added to the relevant ssl.conf file that is running on your Ex Libris application, if you are uncertain of the location of this file, please open a support ticket requesting assistance.
Add the enclosed section between ####Start of security configuration#### & ####End of security configuration####, make sure to add this beneath the VirtualHost block.
Make sure to comment out any previous settings in the ssl.conf that utilize the same directives as the ones in the enclosed section.
# Uncomment the following directive when using client certificate authentication
####Start of security configuration####
# modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
####End of security configuration####
The above changes require an Apache restart
- Article last edited: 28-Mar-2019