How to disable SSLv2 as well as weak SSL ciphers In Provisioning and C++ servers

book

Article ID: 19483

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

In accordance with PCI compliance policies, only 128 bit encryption or higher is allowed.

It's been detected that C++ Connector & Provisioning Servers allow SSLv2 protocol as well as weak SSL ciphers.

Client wants to disable SSLv2 as well as weak SSL ciphers.

Solution:

To allow only ciphers using greater than 128-bit encryption (HIGH) & ciphers with 128-bit encryption (MEDIUM), disable all SSL version 2.0 ciphers (-SSLv2) (lower than 128 bit)

Add the TLSCipherSuite directories into:
<Provisioning Server Home>\data\im_ccs.conf and
<Provisioning Server Home>\data\im_ps.conf files,
as following:


# TLS server configuration data
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCertificateFile      "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\server\\eta2_servercert.pem"
TLSCertificateKeyFile   "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\server\\eta2_serverkey.pem"
TLSCACertificateFile    "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\et2_cacert.pem"
TLSRandomFile           "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\prng_seed"

Environment

Release:
Component: IDMGR