ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Penetration test complains about weak cipher
Article ID: 130428
CA Application Performance Management Agent (APM / Wily / Introscope)INTROSCOPE
Our security team ran a penetration test against our Wily install and the result says that Wily supports SSL Medium Strength Cipher Suites.
Description The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. Solution Reconfigure the affected application if possible to avoid use of medium strength ciphers.
The finding applies to the following two processes - which are the Enterprise Manager and the WebView processes:
The following ciphersuites shows up in security report. DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA
How to disable above ciphersuites within Enterprise Manager and WebView?
Release: Component: APMISP
We have tried following setting jdk.tls.disabledAlgorithms in file <EM-WV-Home>/jre/lib/security/java.security on 10.3.0.19: dk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA and it did not work. We tried following setting: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES, DESede Compared to original values in file: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 We only added: DES, DESede And it helped to remove all ciphers with 3DES (also named DES-EDE or DES-CBC3 in various contexts). We tested that this setting is correctly applied with cipherscan that reports all ciphers suites that are available for connecting: https://github.com/mozilla/cipherscan We suggest to test with following. jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, DES, DESede