Configuring Messaging Gateway for PCI complaince

book

Article ID: 170961

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

A vulnerability or PCI compliance scan of Messaging Gateway (SMG) indicates that SMG will accept TLS protocol versions or encryption algorithms which are not PCI compliant.

Resolution

Messaging Gateway may be brought into compliance with PCI standards by restricting the TLS protocol version accepted by the Control Center web application service and the MTA / mail server.

Control Center port 443

  1. Log into the Control Center command line interface as 'admin'
  2. Run `cc-config set-min-tls-level --tls12`

This will restart the Control Center web application service and restrict communication to TLSv1.2

Scanner (MTA) port 25

SMG cannot currently eliminate all TLS 1.0 ciphers but the available ciphers can be limited to more secure ciphers by running in FIPS compliant mode.

For each scanner system:

  1. Log into the command line internface as 'admin'
  2. Run 'fipsmode on'

This will restart the system with the operating system set to high security, FIPS compliant mode.

 

Note: Some PCI compliance scans will generate warnings regarding the modulus length used for Diffie-Hellman key exchange for SMG 10.6.5 and earlier. The DH key exchange modulus is being increased in later releases.