search cancel

How to change or disable TLS and Weak Ciphers and Protocols on VIP Enterprise Gateway Portals

book

Article ID: 150540

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

This article describes how to change the cipher list and Transport Layer Security (TLS) for access to the VIP Enterprise Gateway console, VIP My VIP IdP portal, SSP IdP portal, and VIP Manager portal. This affects the following versions:

  • VIP Enterprise Gateway 9.10.x, 9.9.x, 9.8.x, 9.7.x
  • VIP SSP IDP Proxy 9.7.x 

Note: Protocol and cipher suites between the VIP Enterprise Gateway and VIP Cloud are controlled by the host server and your network settings.

Resolution

VIP ENTERPRISE GATEWAY 9.10.x, 9.9.x, 9.8.x, 9.7.x

By default, SSL protocol versions 2.0 and 3.0 are considered weak and are restricted in the BlacklistedProtocols.properties exclusion file.
Weak ciphers (ciphers with a key length < 128 bits) are restricted in the weakciphers.properties exclusion file. Both files can be manually modified to restrict additional protocols or ciphers.

Note: For a list of additional ciphers with key length < 224 bits, please refer to KB 245789 here: https://knowledge.broadcom.com/external/article?articleId=245789

-  Modifying the Transport Layer Security (TLS) Protocols

The BlacklistedProtocols properties file (<VIPEG_INSTALLATION>\Symantec\VIP_Enterprise_Gateway\conf\BlacklistedProtocols.properties) can be modified to include additional TLS versions. To do this, add the protocol to the bottom of the list using a standard text editor. Save the file, and restart the Enterprise Gateway.  Always create a backup of the original file before making changes.  

-  Modifying the Weak Ciphers list for the Self Service Portal (SSP)

Follow these steps to restrict ciphers on the Self Service Portal (SSP) IdP, My VIP IdP, and the VIP Manager IdP on the VIP Enterprise Gateway:

Important: Symantec recommends always running the latest available VIP software. Run LiveUpdate from the VIP EG console, or manually download updates from https://manager.vip.com.

  1. Stop the following applicable VIP Services:
    • Symantec Self Service Portal Service
    • Symantec LDAP DirSync Service
    • All Symantec Validation Authentication Services
    • Symantec VIP Manager Service
    • Symantec Enterprise Gateway Service
  2. Rename the current weakciphers.properties located at <VIPEG_INSTALLATION>/conf/weakciphers.properties.
  3. Download the attached weakciphers.properties file into this same folder.
  4. Restart the Enterprise Gateway.

The weakciphers.properties file contains two sections: #Weak SSL Ciphers and #Weak TLS Ciphers. Additional ciphers can be blocked by adding them to this list (IANA format). Always create a backup of the original file before making changes.  

- Rollback procedures for VIP Enterprise Gateway 9.7, 9.8, 9.9, and 9.10

Perform these steps if the above solution fails:

  1. Stop the following services, if applicable: 
    • Self Service Portal IdP
    • VIP Manager IdP
    • LDAP sync service.
    • All Validation Services
    • VIP Enterprise Gateway Service
  2. Restore the previously backed-up weakciphers.properties to the <VIPEG_INSTALLATION>/conf/ folder.
  3. Start all services. 

 

VIP SSP IDP Proxy 9.7.x 

Important: VIP SSP IdP Proxy development ended with version 9.7 and is no longer supported. Symantec recommends replacing it with an alternative reverse proxy solution (sample Squid reverse proxy configuration).

Attachments

weakciphers.properties get_app
blacklistedProtocols.properties get_app