How to adjust Ciphers for Provisioning and C++ servers to disable weak ciphers
Article ID: 19483
Updated On:
Products
Issue/Introduction
In accordance with PCI compliance policies, only 128 bit encryption or higher is allowed.
It's been detected that C++ Connector & Provisioning Servers allow SSLv2 protocol as well as weak SSL ciphers.
The client wants to disable SSLv2 as well as weak SSL ciphers.
Environment
Identity Manager
Resolution
For example, to allow only ciphers using greater than 128-bit encryption (HIGH) & ciphers with 128-bit encryption (MEDIUM), disable all SSL version 2.0 ciphers (-SSLv2) (lower than 128 bit)
Add the TLSCipherSuite directories into:
<Provisioning Server Home>\data\im_ccs.conf and
<Provisioning Server Home>\data\im_ps.conf files,
For example:
# TLS server configuration data TLSCipherSuite HIGH:MEDIUM:-SSLv2 TLSCertificateFile "C:\\Program Files (x86)\\CA\\Identity Manager\\ Provisioning Server\\data\\tls\\server\\eta2_servercert.pem" TLSCertificateKeyFile "C:\\Program Files (x86)\\CA\\Identity Manager\\ Provisioning Server\\data\\tls\\server\\eta2_serverkey.pem" TLSCACertificateFile "C:\\Program Files (x86)\\CA\\Identity Manager\\ Provisioning Server\\data\\tls\\et2_cacert.pem" TLSRandomFile "C:\\Program Files (x86)\\CA\\Identity Manager\\ Provisioning Server\\data\\tls\\prng_seed"
Please work with your security team to determine the required ciphers, and review the out of the box configuration as we are consistently enhancing the product around security, and the above example may open up vulnerabilities which the out of the box configuration prevents.
FOR VIRTUAL APPLIANCE
To adjust these files in a VAPP environment you will need to log into the SSH console as the 'config' user, then su to the imps user:
Then us an editing software such as VI to edit the specified files.
Additional Information
https://www.openldap.org/devel/admin/tls.html
Feedback
