The below document describes how to configuring the cipherlist tags, will address issues with the detection of weak ciphers, during vulnerability scans on Windows and non-Windows platforms.
Embedded Entitlements Manager 12.51 CR05 and Above.
Because the vulnerabilities scans are detecting weak ciphers on the servers, this document will assist in creating a cipherlist to address the weak ciphers that are detected.
For the a list of ciphers that you can use with the EEM product, please refer to the following OpenSSL site:
https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
Below is a sample cipher that can be used.
You can add to the below cipherlist, from the ciphers listed in the OpenSSL site, as your business needs see fit.
kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH
Here are the instructions for adding the cipherlist for EEM 12.51 CR05 and above:
To protect port 5250 (which is iGateway):
- Edit the following file:
$IGW_LOC/igateway.conf or %IGW_LOC%\igateway.conf
- Enter the ciphers in the cipher tag, as in the example:
<cipherlist>kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH</cipherlist>
- Save the changes and restart the igateway service
Example:
<Connector name="defaultport">
<port>5250</port>
<mustlisten>true</mustlisten>
<conntype/>
<conntimeout>120</conntimeout>
<peektimeout>30</peektimeout>
<maxconnections>1000</maxconnections>
<maxrequestbytes>10000000</maxrequestbytes>
<maxpiperequests>10</maxpiperequests>
<maxAcceptRate/>
<certType/>
<certURI/>
<certPW/>
<keyURI/>
<keyPW/>
<!--<secureProtocol/> -->
<secureProtocol>TLSV1_2</secureProtocol>
<cipherlist>kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH</cipherlist>
</Connector>
To protect port 509 (which is CA Directory):
- Edit the following file:
$DXHOME/config/ssld/itechpoz.dxc or %DXHOME%\config\ssld\itechpoz.dxc
-Enter the ciphers in the cipher tag, above the 'protocol' line:
cipher = "kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH"
- Save the changes and restart the CA Directory service
Example:
set ssl = {
cert-dir = "config/ssld/personalities"
ca-file = "config/ssld/itechpoz-trusted.pem"
cipher = "kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH"
protocol = tlsv12
};