CA Directory "SSL Medium Strength Cipher Suites Supported (SWEET32)" & SSL Anonymous Cipher Suites Supported

book

Article ID: 222094

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager CA Directory

Issue/Introduction

After running a vulnerability scan against Virtual Appliance (Identity Manager), the report is returning "SSL Medium Strength Cipher Suites Supported (SWEET32)" & "SSL Anonymous Cipher Suites Supported" against port 10101

Cause

The cipher suites and TLS protocol need to be updated.

Environment

Release : 14.X

Component : CA Directory

Component : CA IDENTITY MANAGER

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

The cipher suite will need to up updated to a more secure format.

To do this Navigate and open:
\dxserver\config\servers\dsaname.dxi
Find your SSL declaration:
source "../ssld/dsaname.dxc";

Navigate to this ssl declaration file and set the below values:

# SSL options
cipher = "ALL:!aNULL:!ADH:!eNULL:!DES:!LOW:!MEDIUM:!EXP:!RC4:!RSA:!EXPORT40:+HIGH:@STRENGTH" # default ciphers - syntax on OpenSSL website

protocol = TLSv12                # enable TLS only (default of fips set)


Run the below commands:
Dxserver stop DSAName
Dxsyntax (to ensure there are no typos)
Dxserver start DSAName