How to disable TLS 1.0 in LiveUpdate Administrator 2.3.7.51

WARNING: Disabling TLS 1.0 may cause functionality issues with older browsers and Endpoint Protection (if you use HTTPS to serve the updates). Test this ahead of time before deploying to production.

Overview:
LiveUpdate Administrator 2.3.7.51 Tomcat still allows TLS 1.0, which may violate your company's policies. This will show you how to disable TLS 1.0.

Solution:
1. Stop the LiveUpdate Administrator TomCat service.

2. Find the server.xml file located in <install directory>\Tomcat\conf

3. BACK UP YOUR SERVER.XML

4. Open the server.xml in a text editor (notepad or notepad++ work great)

5. Find the section below and review the protocols allowed in BOLD:

<Connector port="7073" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
  enableLookups="false" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"
  SSLEnabled="true" scheme="https" secure="true" redirectPort="7073"
  protocol="org.apache.coyote.http11.Http11NioProtocol"
  sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation">
  <SSLHostConfig
           honorCipherOrder="true"
           certificateVerification="none"
           protocols="TLSv1+TLSv1.1+TLSv1.2"
           ciphers="TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
     TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA">
     <Certificate certificateKeystoreFile="../server-cert.ssl"
                 certificateKeystorePassword="${ks.password}"/>

6. Edit the "protocols" section to line up with your requirements and save the changes. Examples below:

Allow TLS 1.1 and 1.2: protocols="TLSv1.1+TLSv1.2"
Allow TLS 1.2 only: protocols="TLSv1.2"

7. Start the Tomcat service and validate it stays in the running state. If the Service starts and stops, check the Cataline log located in <install directory>\Tomcat\logs . Most likely if it does not start working it is a syntax error. An example below (this was a bracket that was accidentally deleted):

java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens

8. To force HTTPS login to your console, click "convert to HTTPS" in the top right of administrators console after logging in. Read the warning that doing this will stop any downloads and distributions occuring.

Now if a user attempts to login to http://yourserver:7070/lua/login , it will redirect to the HTTPS variant https://yourserver:7073/lua/login and will not use TLS 1.0.

Notes:
Since the default certificate is self signed, users will receive a warning. Either the certificate needs to be added to trusted certificates or a CA certificate will need to be implemented, which is beyond the scope of this write up.