ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Advanced Authentication can enforce a specific list of strong ciphers for SSL connection

book

Article ID: 133285

calendar_today

Updated On:

Products

CA Advanced Authentication

Issue/Introduction

Previously,  via arcotcommon.ini one could not specify a granular combination of Protocol/Cipher Suites  to use for SSL connection. In the "ssl/config" section of file arcotcomm.ini  one could only specify  high level SSL protocols like such:

[ssl/config]

sslContextAlgorithm=TLS

 

Now, via arcotcommon.ini one can specify a granular combination of Protocol/Cipher Suites to use for SSL connection.  Refer to the configuration below:

--- Risk Auth Server

  RiskAuthSupportedProtocols - List of supported protocols(tlsv1,tlsv1.1,tlsv1.2 - lowercase only) for RiskAuth Server

  RiskAuthCipherSuites - List of supported cipher suites with names as mentioned in document ( https://www.openssl.org/docs/man1.0.2/man1/ciphers.html ) for RiskAuth Server

  Ex:

  [ssl/config]

  RiskAuthSupportedProtocols=tlsv1.2

  RiskAuthCipherSuites=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256

  The above example makes RiskAuthentication server to communicate only on tlsv1.2 protocol with ECDHE-ECDSA-AES256-GCM-SHA384  and ECDHE-ECDSA-AES128-GCM-SHA256 CipherSuites.

  --- Strong Auth Server

  StrongAuthSupportedProtocols - List of supported protocols(tlsv1,tlsv1.1,tlsv1.2 - lowercase only) for StrongAuth Server

  StrongAuthCipherSuites - List of supported cipher suites with names as mentioned in document ( https://www.openssl.org/docs/man1.0.2/man1/ciphers.html ) for RiskAuth Server

  Ex:

  [ssl/config]

  StrongAuthSupportedProtocols=tlsv1.2

  StrongAuthCipherSuites=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256

Cause

Vulnerability scans would show that Advanced Authentication allowed SSL connections with the back end products using weak ciphers. 

Environment

Release: 9.x 


Component: CA Strong Authentication and CA Risk Authentication

Resolution

Via arcotcommon.ini one can configure to allow only strong Cipher-suites when client uses SSL connections to communicate with the back-end servers.  

Additional Information

A restart of the following components is required for the configuration discussed above to take effect. Please restart the following Advanced Authentication servers (Advanced Authentication is being used interchangeably with CA Strong/Risk Authentication. 

1. arcotuds. 

2. arcotadmin

3. arcotwebfort

4. arcotriskfort