Article ID: 188851
CA Privileged Access Manager (PAM)
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager - Server Control (PAMSC)
How to know the Ciphers that are supported by any of the CA PAM versions, is there a way to find this out?
Also, how to find the ciphers supported by CA PAM for various other applications which communicate over a specific port?
Release : 2.8.x, 3.2.x, 3.3.x
Component : PRIVILEGED ACCESS MANAGEMENT
Knowing the supported Ciphers is a very common query, as this would determine the communication between CA PAM and the various other Target Devices / Applications.
To capture the Ciphers that are supported for TLS1.2 for CA PAM, we can capture these by establishing a connection to CA PAM Server over Port 443.
Capture the Traffic between the Desktop and CA PAM using Wireshark application. Once the traffic is captured in Wireshark, search for "Hello Client" handshake. Expand this "Hello Client" and in here the list of supported Ciphers would be available. Below is the list of Ciphers supported for CA PAM Version 3.2.6 is as under Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Client Hello Cipher Suites (14 suites) Cipher Suite: Reserved (GREASE) (0xfafa) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c) Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Similarly if we need to know the list of Ciphers supported from CA PAM over other ports like 636, 22, 389, etc.,
We need to install dcpdump in the CA PAM host (this would need help from the Support team) After dcpdump is installed we need to capture the traffic on the specific port and analyse this captured traffic using Wireshark to get a list of supported Ciphers.