How to change or disable TLS and Weak Ciphers and Protocols on Admin UI
search cancel

How to change or disable TLS and Weak Ciphers and Protocols on Admin UI


Article ID: 140393


Updated On:




By default older TLS versions are disabled in a standard Admin UI installation. Additional ciphers and TLS protocol versions can be disabled if needed.


SiteMinder Admin UI 12.8 and later.


Follow these steps to disable any of the default ciphers used by the Admin UI:

  1. Create a backup copy of the current standalone-full.xml located in <administrative_ui_installation_path>\standalone\configuration.
  2. Open the file and locate the https-listener enable-http2 tags. They will be similar to the following: 
    <https-listener enable-http2="true" enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" enabled-protocols="TLSv1.1,TLSv1.2" name="https" no-request-timeout="120000" security-realm="SSLRealm" socket-binding="https"/>
  3. Delete the desired cipher included in the enabled-cipher-suites element.
  4. Save the changes.
  5. Restart the Admin UI.

Likewise to disable specific TLS versions, follow these steps:

  1. In the standalone-full.xml, remove the desired TLS version from the enabled-protocols element of the https-listener tag.
  2. Save the changes.
  3. Restart the Admin UI.

Rollback Steps:

Perform these steps if any issues are encountered after making the changes.

  1. Restore the backup copy of standalone-full.xml to the <administrative_ui_installation_path>\standalone\configuration directory.
  2. Restart the Admin UI.