Configuring a cipherlist to be used in EEM.

book

Article ID: 143504

calendar_today

Updated On:

Products

SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) CA Workload Automation Agent CA Process Automation Base

Issue/Introduction

The below document describes how to configuring the cipherlist tags, will address issues with the detection of weak ciphers, during vulnerability scans on Windows and non-Windows platforms. 

Cause

Because the vulnerabilities scans are detecting weak ciphers on the servers, this document will assist in creating a cipherlist to address the weak ciphers that are detected.

Environment

Embedded Entitlements Manager 12.51 CR05 and Above.

Resolution

For the a list of ciphers that you can use with the EEM product, please refer to the following OpenSSL site: 
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

Below is a sample cipher that can be used.  You can add to the below cipherlist, from the ciphers listed in the OpenSSL site, as your business needs see fit.
kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH 

Here are the instructions for adding the cipherlist for EEM 12.51 CR05 and above: 

To protect port 5250 (which is iGateway):
- Edit the following file: 
$IGW_LOC/igateway.conf or %IGW_LOC%\igateway.conf
- Enter the ciphers in the cipher tag, as in the example: 
<cipherlist>kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH</cipherlist> 
- Save the changes and restart the igateway service 

To protect port 509 (which is CA Directory):
- Edit the following file: 
$DXHOME/config/ssld/itechpoz.dxc or %DXHOME%\config\ssld\itechpoz.dxc
-Enter the ciphers in the cipher tag, above the 'protocol' line: 
cipher = "kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH" 
- Save the changes and restart the CA Directory service