Configuring a cipherlist to be used in EEM.
search cancel

Configuring a cipherlist to be used in EEM.

book

Article ID: 143504

calendar_today

Updated On:

Products

SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service CA Service Desk Manager CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent CA Process Automation Base

Issue/Introduction

The below document describes how to configuring the cipherlist tags, will address issues with the detection of weak ciphers, during vulnerability scans on Windows and non-Windows platforms. 

Environment

Embedded Entitlements Manager 12.51 CR05 and Above.

Cause

Because the vulnerabilities scans are detecting weak ciphers on the servers, this document will assist in creating a cipherlist to address the weak ciphers that are detected.

Resolution

For the a list of ciphers that you can use with the EEM product, please refer to the following OpenSSL site: 
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html

Below is a sample cipher that can be used.  
You can add to the below cipherlist, from the ciphers listed in the OpenSSL site, as your business needs see fit.
kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH 

Here are the instructions for adding the cipherlist for EEM 12.51 CR05 and above: 

To protect port 5250 (which is iGateway):
- Edit the following file: 
$IGW_LOC/igateway.conf or %IGW_LOC%\igateway.conf
- Enter the ciphers in the cipher tag, as in the example: 
<cipherlist>kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH</cipherlist> 
- Save the changes and restart the igateway service 

Example:
        <Connector name="defaultport">
            <port>5250</port>
            <mustlisten>true</mustlisten>
            <conntype/>
            <conntimeout>120</conntimeout>
            <peektimeout>30</peektimeout>
            <maxconnections>1000</maxconnections>
            <maxrequestbytes>10000000</maxrequestbytes>
            <maxpiperequests>10</maxpiperequests>
            <maxAcceptRate/>
            <certType/>
            <certURI/>
            <certPW/>
            <keyURI/>
            <keyPW/>
            <!--<secureProtocol/> -->
            <secureProtocol>TLSV1_2</secureProtocol>
            <cipherlist>kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH</cipherlist> 
        </Connector>

 

To protect port 509 (which is CA Directory):
- Edit the following file: 
$DXHOME/config/ssld/itechpoz.dxc or %DXHOME%\config\ssld\itechpoz.dxc
-Enter the ciphers in the cipher tag, above the 'protocol' line: 
cipher = "kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH" 
- Save the changes and restart the CA Directory service

Example:
set ssl = {
cert-dir = "config/ssld/personalities"
ca-file = "config/ssld/itechpoz-trusted.pem"
cipher = "kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH"
protocol = tlsv12
};