How to change or disable TLS and Weak Ciphers and Protocols on VIP Enterprise Gateway

book

Article ID: 150540

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

 

Resolution

This article describes how to change the cipher list and Transport Layer Security (TLS) in the following versions:

  • VIP Enterprise Gateway 9.9.x, 9.8.x, 9.7.x, 9.6.x
  • VIP SSP IDP Proxy 9.6.x, 9.7.x 

VIP ENTERPRISE GATEWAY 9.9.x, 9.8.x, 9.7.x, 9.6.x

By default, SSL protocol versions 2.0 and 3.0 are considered weak and are restricted in the BlacklistedProtocols.properties exclusion file.
Weak ciphers (ciphers with a key length < 128 bits) are restricted in the weakciphers.properties exclusion file. Both files can be manually modified to restrict additional protocols or ciphers.

-  Modifying the Transport Layer Security (TLS) Protocols

The BlacklistedProtocols properties file (\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\conf\BlacklistedProtocols.properties) can be modified to include additional TLS versions. To do this, add the protocol to the bottom of the list using a standard text editor. Save the file, and restart the Enterprise Gateway.  Always create a backup of the original file before making changes.  

-  Modifying the Weak Ciphers list for the Self Service Portal (SSP)

Follow these steps to restrict ciphers on the Self Service Portal (SSP) IdP, My VIP Idp, and the VIP Manager IdP on the VIP Enterprise Gateway:

Important: Symantec recommends always running the latest available VIP software. Run LiveUpdate from the VIP EG console, or manually download updates from https://manager.vip.com.

  1. Stop the following applicable VIP Services:
    • Symantec Self Service Portal Service
    • Symantec LDAP DirSync Service
    • All Symantec Validation Authentication Services
    • Symantec VIP Manager Service
    • Symantec Enterprise Gateway Service
  2. Rename the current weakciphers.properties located at <VIPEG_INSTALLATION>/conf/weakciphers.properties.
  3. Download the attached weakciphers.properties file into this same folder.
  4. Restart the Enterprise Gateway.

The weakciphers.properties file contains two sections: #Weak SSL Ciphers and #Weak TLS Ciphers. Additional ciphers can be blocked by adding them to this list (IANA format). Always create a backup of the original file before making changes.  

- Rollback procedures for VIP Enterprise Gateway 9.7, 9.8 and 9.9

Perform these steps if the above solution fails:

  1. Stop the following services, if applicable: 
    • Self Service Portal IdP
    • VIP Manager IdP
    • LDAP sync service.
    • All Validation Services
    • VIP Enterprise Gateway Service
  2. Restore the previously backed-up weakciphers.properties to the <VIPEG_INSTALLATION>/conf/ folder.
  3. Start all services. 

 

VIP SSP IDP Proxy 9.6.x, 9.7.x 

Important: VIP SSP IdP Proxy development ended with version 9.7. Symantec recommends replacing it with an alternative reverse proxy solution (sample Squid reverse proxy configuration). 

In the SSP IdP Proxy, by default, SSL protocol versions 2.0 and 3.0 are considered weak and are listed in the jetty.xml file located at SSP IDP Proxy Home/server/etc. The jetty.xml file can be modified to restrict any TLS protocol such as SSL or weak cipher such as RC4 when potential vulnerabilities are detected. 

-  Modifying the  VIP SSP IDP Proxy

(Note: VIP Self-Service Portal IdP proxy prior to 9.7 should update the VIP Enterprise Gateway and proxy to version 9.7 or higher before applying these steps. The weak cipher concept is not available in older versions or supports only limited blacklisting capabilities of weak cipher suites).

Follow these steps to modify the VIP Self Service IdP Proxy component: 

  1. Update the weakciphers.properties by following the instruction above.
  2. Stop the VIP Self Service IdP Proxy service through the Microsoft Management Console.
  3. Create a backup of the jetty.xml located at <SSP_PROXY_INSTALLATION>/server/etc/
  4. Download the jetty.xml file attached to this article and save it to this folder.
  5. Save the file.
  6. Restart the VIP Self Service IDP Proxy service.
  7. If problems occur, revert to the backed-up jetty.xml, then restart service.
  8. Additional protocols and cipher suites can be restricted by modifying jetty.xml using a standard text editor

Attachments

weakciphers.properties get_app
jetty.xml get_app
blacklistedProtocols.properties get_app