Disabling Cipher suites in CA API Developer Portal 4.2.x
Article ID: 130784
Updated On:
Products
CA API Developer Portal
CA API Gateway
Issue/Introduction
How can we see and adjust what cipher suites are available with CA API Developer Portal 4.2.x ?
Environment
Release: APIXSN99000-4.3-API Developer Portal-Enhanced Experience-non-production
Component:
Component:
Resolution
Please have a look at
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-developer-portal/4-2/install-configure-and-upgrade/create-and-sign-certificates-for-production.html
If you run our 'update-dispatcher.sh' util script to use the CA signed certificate as described on the mentioned page, then it's automatically overwriting cipher suites to the following cipher suites for the dispatcher service of the external(newly provisioned) tenant:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
If you want to restrict this to other cipher suites, you would need to adjust that script accordingly and rerun the script.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-developer-portal/4-2/install-configure-and-upgrade/create-and-sign-certificates-for-production.html
If you run our 'update-dispatcher.sh' util script to use the CA signed certificate as described on the mentioned page, then it's automatically overwriting cipher suites to the following cipher suites for the dispatcher service of the external(newly provisioned) tenant:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
If you want to restrict this to other cipher suites, you would need to adjust that script accordingly and rerun the script.
Additional Information
The 'update-dispatcher.sh' util script is available in 4.2.5.1 and later.
Feedback
Powered by
