This document describes how to configuring the cipherlist tags will address issues with the detection of weak ciphers, during vulnerability scans on Windows and non-Windows platforms.
Also restricting communication over TLSv1.2.
Because the vulnerabilities scans are detecting weak ciphers on the servers, this document will assist in creating a cipherlist to address the weak ciphers that are detected.
As well as restricting communication over TLSv1.2. Since TLSv1.0 and 1.1 has been deprecated.
Embedded Entitlements Manager r12.6.x and above.
Below are instructions on creating a cipher suite and restricting communication to only TLSv1.2.
For the a list of ciphers that you can use, please refer to the following OpenSSl site:
Below is a sample cipher that can be used, also you can add to it as your business needs see fit.
You can add to the below list from the ciphers listed in the OpenSSL site:
Here are the instructions for adding the cipherlist for EEM:
- To protect port 5250 (which is iGateway), edit the following file $IGW_LOC/igateway.conf or %IGW_LOC%\igateway.conf
- Enter the following cipher in the cipher tag as follows (below is the sample that you can use, and you can add to):
- Save the changes
- To protect port 509 (which is CA Directory), edit the following file $DXHOME/config/ssld/itechpoz.dxc or %DXHOME%\config\ssld\itechpoz.dxc
- Enter the following above the 'protocol' line:
cipher = "kEDH:ALL:!ADH:!DES:!3DES:!LOW:!EXPORT40:!RC4:+SSLv2:@STRENGTH"
- Save the changes
Here are the instructions in order to restrict communication over TLSv1.2 only:
- For iGateway, edit the following file $IGW_LOC/igateway.conf or %IGW_LOC%\igateway.conf, and add TLSV1_2 to the secure protocol tag as follows:
- Save the changes and restart the igateway service
For CA Directory, edit the following file $DXHOME/config/ssld/itechpoz.dxc or %DXHOME%\config\ssld\itechpoz.dxc, and add tlsv12 to the protocol line as follows:
protocol = tlsv12
- Save the changes and restart the CA Directory service