How to disable SSLv2 as well as weak SSL ciphers In Provisioning and C++ servers
search cancel

How to disable SSLv2 as well as weak SSL ciphers In Provisioning and C++ servers


Article ID: 19483


Updated On:


CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting



In accordance with PCI compliance policies, only 128 bit encryption or higher is allowed.

It's been detected that C++ Connector & Provisioning Servers allow SSLv2 protocol as well as weak SSL ciphers.

Client wants to disable SSLv2 as well as weak SSL ciphers.


To allow only ciphers using greater than 128-bit encryption (HIGH) & ciphers with 128-bit encryption (MEDIUM), disable all SSL version 2.0 ciphers (-SSLv2) (lower than 128 bit)

Add the TLSCipherSuite directories into:
<Provisioning Server Home>\data\im_ccs.conf and
<Provisioning Server Home>\data\im_ps.conf files,
as following:

# TLS server configuration data
TLSCertificateFile      "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\server\\eta2_servercert.pem"
TLSCertificateKeyFile   "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\server\\eta2_serverkey.pem"
TLSCACertificateFile    "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\et2_cacert.pem"
TLSRandomFile           "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\prng_seed"


Component: IDMGR