How to disable TLS 1.0 and 1.1, as well as restrict the Diffie-Hellman (DH) keysize to 2048 or higher in the CAMM LC

book

Article ID: 211699

calendar_today

Updated On:

Products

CA Mediation Manager

Issue/Introduction

How do I disable TLS 1.0 and 1.1, as well as restrict the Diffie-Hellman (DH) keysize to 2048 or higher in the CAMM LC?

Cause

Security Vulnerability

Environment

Dx NetOps Mediation Manager: any version

Resolution

1. Add TLSv1 and TLSv1.1  values to jdk.tls.disabledAlgorithms property under JAVA_HOME/lib/security/java.security.
- You can get JAVA_HOME value from /opt/CA/CAMM/tools/camm.env 
- Example setting: jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, EC keySize < 224, 3DES_EDE_CBC, TLSv1, TLSv1.1, anon, NULL

2. After updating the property restart CAMM before you test.
>/opt/CA/CAMM/tools/stopall
>/opt/CA/CAMM/tools/startall

3. To verify you can run openssl commands:

- openssl s_client -tls1 -connect <ip address>:<port>

- openssl s_client -tls1_1 -connect <ip address>:<port>

- openssl s_client -tls1_2 -connect <ip address>:<port> (should work)

 

You can then try your scan again to see if the vulnerability has gone away