Creating a cipherlist and restricting only TLSv1.2 communication within the EEM Application, on Port 5250 and Port 509.

book

Article ID: 195387

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager CA Workload Automation Agent CA Workload Automation AE - Scheduler (AutoSys) CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - System Agent (AutoSys) CA Process Automation Base

Issue/Introduction

This document describes how to configuring the cipherlist tags will address issues with the detection of weak ciphers, during vulnerability scans on Windows and non-Windows platforms.
Also restricting communication over TLSv1.2.  

Cause

Because the vulnerabilities scans are detecting weak ciphers on the servers, this document will assist in creating a cipherlist to address the weak ciphers that are detected.
As well as restricting communication over TLSv1.2.  Since TLSv1.0 and 1.1 has been deprecated.

Environment

Embedded Entitlements Manager r12.6.x and above.

Resolution

Below are instructions on creating a cipher suite and restricting communication to only TLSv1.2.

For the a list of ciphers that you can use, please refer to the following OpenSSl site:
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

Below is a sample cipher that can be used, also you can add to it as your business needs see fit.
You can add to the below list from the ciphers listed in the OpenSSL site:
kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH

Here are the instructions for adding the cipherlist for EEM:
- To protect port 5250 (which is iGateway), edit the following file $IGW_LOC/igateway.conf or %IGW_LOC%\igateway.conf
- Enter the following cipher in the cipher tag as follows (below is the sample that you can use, and you can add to):
kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH
- Save the changes

- To protect port 509 (which is CA Directory), edit the following file $DXHOME/config/ssld/itechpoz.dxc or %DXHOME%\config\ssld\itechpoz.dxc
- Enter the following above the 'protocol' line:
cipher = "kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH"
- Save the changes

Here are the instructions in order to restrict communication over TLSv1.2 only:
- For iGateway, edit the following file $IGW_LOC/igateway.conf or %IGW_LOC%\igateway.conf, and add TLSV1_2 to the secure protocol tag as follows:
TLSV1_2
- Save the changes and restart the igateway service

For CA Directory, edit the following file $DXHOME/config/ssld/itechpoz.dxc or %DXHOME%\config\ssld\itechpoz.dxc, and add tlsv12 to the protocol line as follows:
protocol = tlsv12
- Save the changes and restart the CA Directory service