The below document describes how to configuring the cipherlist tags, will address issues with the detection of weak ciphers, during vulnerability scans on Windows and non-Windows platforms.
Because the vulnerabilities scans are detecting weak ciphers on the servers, this document will assist in creating a cipherlist to address the weak ciphers that are detected.
Embedded Entitlements Manager 12.51 CR05 and Above.
For the a list of ciphers that you can use with the EEM product, please refer to the following OpenSSL site:
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
Below is a sample cipher that can be used. You can add to the below cipherlist, from the ciphers listed in the OpenSSL site, as your business needs see fit.
kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH
Here are the instructions for adding the cipherlist for EEM 12.51 CR05 and above:
To protect port 5250 (which is iGateway):
- Edit the following file:
$IGW_LOC/igateway.conf or %IGW_LOC%\igateway.conf
- Enter the ciphers in the cipher tag, as in the example:
<cipherlist>kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH</cipherlist>
- Save the changes and restart the igateway service
To protect port 509 (which is CA Directory):
- Edit the following file:
$DXHOME/config/ssld/itechpoz.dxc or %DXHOME%\config\ssld\itechpoz.dxc
-Enter the ciphers in the cipher tag, above the 'protocol' line:
cipher = "kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH"
- Save the changes and restart the CA Directory service