How to configure cipher suites for Protection Engine
Article ID: 226653
Updated On:
Products
Issue/Introduction
You want to change the configuration to set desired cipher suites for SSL/TLS communication between Symantec Protection Engine (SPE) UI and SPE server.
SPE does provides this configuration and can be done using category3.xml file.
Environment
Symantec Protection Engine (SPE)
Resolution
To configure for Windows:
1. Download the category3.xml from this KB article.
2. Navigate to Symantec Protection Engine installation directory (Default for 7.8 and up: C:\Program Files\Symantec\Scan Engine)
3. Open configuration.xml in a plain text editor (Notepad.exe)
4. Locate the following value on the first line: "version="######"
5. Open the category3.xml in a plain text editor (Notepad.exe)
6. Modify the version value to match the version number listed inside configuration.xml
7. Change "Ciphers" parameter value with desired cipher list. Please make sure used ciphers are compatible with TLSv1.2
8. Save changes to category3.xml
9. Copy category3.xml to Symantec Protection Engine installation directory (Default for 7.8 and up: C:\Program Files\Symantec\Scan Engine)
10. Restart Symantec Protection Engine service for the changes to take effect.
To configure for Linux:
1. At a shell prompt, obtain root credentials.
2. Download the category3.xml from this KB article.
3. Navigate to Symantec Protection Engine installation directory (Default: /opt/SYMCScan/bin )
4. Grep configuration.xml for version (cat configuration.xml | grep version)
5. Locate the following value: "version="######"
6. Open the category3.xml in a plain text editor.
7. Modify the version value to match the version number listed inside configuration.xml
8. Change "Ciphers" parameter value with desired cipher list. Please make sure used ciphers are compatible with TLSv1.2
9. Save changes to category3.xml
10. Copy category3.xml to Symantec Protection Engine installation directory (Default: /opt/SYMCScan/bin )
11. Restart Symantec Protection Engine daemon for the changes to take effect (/etc/init.d/symcscan restart)
Note: Rename the attached file to "category3.xml" after it is downloaded.
Note: In 8.2.2 the Ciphers are located in the configuration.xml file and not in the category3.xml file.
Additional Information
You can use nmap utility to verify ciphers before and after the changes are made:
Example as below for port 8004:
1. Before adding category3.xml
C:\>nmap --script ssl-enum-ciphers -p 8004 <SPE_IP>
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-14 07:12 Eastern Daylight Time
Nmap scan report for <SPE_FQDN> (<SPE_IP>)
Host is up (0.0010s latency).
PORT STATE SERVICE
8004/tcp open p2pevolvenet
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 2.76 seconds
2. After adding category3.xml
C:\>nmap --script ssl-enum-ciphers -p 8004 <SPE_IP>
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-14 07:20 Eastern Daylight Time
Nmap scan report for <SPE_FQDN> (<SPE_IP>)
Host is up (0.0010s latency).
PORT STATE SERVICE
8004/tcp open p2pevolvenet
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds
Attachments
Feedback
