Tuesday 15 December 2015

Diffie-Hellman SSL Business Intelligence Launchpad Issue

If you are having trouble connecting to your Business Intelligence Launchpad through Firefox or Google Chrome and are hitting the Diffie-Hellman weak ephemeral key message you will know how confusing and frustrating it is. The obvious work around is to use Internet Explorer as that particular browser does not currently check for the weak cipher keys that make the Logjam attack possible.

Some of you will be stuck using a particular browser due to IT policies so this could be for you.
To allow Firefox and Chrome to connect once again a few changes need to be made to the Tomcat/conf/server.xml file which will allow you to specify which ciphers to use when browsers are trying to connect.

In the connector element for SSL (normally port 443) add in the following ciphers to use:

ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"

I added it just before the password section but I believe you can put it in anywhere in the corresponding connector section of the server.xml file.

Assuming everything is in the right place you can go ahead and restart Tomcat. When its back up, you will be able to log in using Firefox and Google Chrome.


There are other methods which involve downloading the Java Unlimited Strength files but these need a little bit of extra configuration and we personally could not get them working. If you can get them working they will allow you to use 256 encryption and not restrict you to RSA. 

Written by Luke Johnson, BI Support Technician, DSCallards