search cancel

CA Directory "SSL Medium Strength Cipher Suites Supported (SWEET32)" & SSL Anonymous Cipher Suites Supported

book

Article ID: 222094

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager CA Directory

Issue/Introduction

After running a vulnerability scan against Virtual Appliance (Identity Manager), the report is returning "SSL Medium Strength Cipher Suites Supported (SWEET32)" & "SSL Anonymous Cipher Suites Supported" against port 10101

Cause

The cipher suites and TLS protocol need to be updated.

Environment

Release : 14.X

Component : CA Directory

Component : CA IDENTITY MANAGER

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

The cipher suite will need to up updated to a more secure format.

To do this Navigate and open:
\dxserver\config\servers\dsaname.dxi
Find your SSL declaration:
source "../ssld/dsaname.dxc";

Navigate to this ssl declaration file and set the below values:

# SSL options
cipher = "ALL:!aNULL:!ADH:!eNULL:!DES:!LOW:!MEDIUM:!EXP:!RC4:!RSA:!EXPORT40:+HIGH:@STRENGTH" # default ciphers - syntax on OpenSSL website

protocol = TLSv12                # enable TLS only (default of fips set)


Run the below commands:
Dxserver stop DSAName
Dxsyntax (to ensure there are no typos)
Dxserver start DSAName

Additional Information

On vApp you will need to use

su dsa

command to log in as dsa user to be able to edit files like dsaname.dxc