How to update the SSL cipher list to add strong ciphers for the Agent for SharePoint/Access Gateway
search cancel

How to update the SSL cipher list to add strong ciphers for the Agent for SharePoint/Access Gateway

book

Article ID: 220294

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

How can I add the stronger OpenSSL Ciphers to the Agent for SharePoint/Access Gateway Ciphers List for use in the SSL connections to the Back-end Servers?

 

 

Environment

Release : 12.52 SP1

Component : CA SITEMINDER AGENT FOR SHAREPOINT

Release : 12.8.0.x

Component : CA SITEMINDER ACCESS GATEWAY

Cause

The Default cipher list for the Agent for SharePoint and Access Gateway Server do not include all the ciphers that are available with the version of OpenSSL installed, so you may wish to update the cipher list to remove weak ciphers and add the available strong ciphers for the Agent to use.

Resolution



1. Generate the list of available OpenSSL ciphers: '.../proxy-engine/SSL/openssl ciphers -V'. For example (ECDHE-RSA-AES256-GCM-SHA384).


2.Obtain the 'IANA name:' of the Cipher from the following link. For example (TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384):

https://ciphersuite.info/cs/?software=openssl&singlepage=true

3. Replace the "Protocol" ("TLS_") in the IANA name with "+", and modify the "WITH_" to "With_" For example (+ECDHE_RSA_With_AES_256_GCM_SHA384).

4. Add the modified 'IANA name' to the ciphers and/or the fipsciphers list(s) in the Server.conf. For example (+ECDHE_RSA_With_AES_256_GCM_SHA384). 

ciphers="+ECDHE_RSA_With_AES_256_GCM_SHA384, +ECDHE_RSA_With_AES_256_CBC_SHA384, +RSA_With_AES_256_GCM_SHA384, +RSA_With_AES_256_CBC_SHA256, +ECDHE_ECDSA_With_AES_256_GCM_SHA384, +ECDHE_ECDSA_With_AES_256_CBC_SHA384, +DHE_RSA_With_AES_256_GCM_SHA384 ,+DHE_RSA_With_AES_256_CBC_SHA256, +DHE_DSS_With_AES_256_GCM_SHA384, +DHE_DSS_With_AES_256_CBC_SHA256"

fipsciphers="+ECDHE_RSA_With_AES_256_GCM_SHA384, +ECDHE_RSA_With_AES_256_CBC_SHA384, +RSA_With_AES_256_GCM_SHA384, +RSA_With_AES_256_CBC_SHA256, +ECDHE_ECDSA_With_AES_256_GCM_SHA384, +ECDHE_ECDSA_With_AES_256_CBC_SHA384, +DHE_RSA_With_AES_256_GCM_SHA384 ,+DHE_RSA_With_AES_256_CBC_SHA256, +DHE_DSS_With_AES_256_GCM_SHA384, +DHE_DSS_With_AES_256_CBC_SHA256"

5. Ensure that the Java Cryptography Extensions (JCE) patch is applied and are enabled, if Java 1.6/1.7. Java 1.8 should have the JCE enabled by default.

6. Restart the Agent for SharePoint/Access Gateway and review the Server.log to ensure the cipher(s) was/were loaded.

Powered by Wolken Software