ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to configure cipher suites for Protection Engine

book

Article ID: 226653

calendar_today

Updated On:

Products

Protection Engine for NAS Protection Engine for Cloud Services

Issue/Introduction

You want to change the configuration to set desired cipher suites for SSL/TLS communication between Symantec Protection Engine (SPE) UI and SPE server. 

SPE does provides this configuration and can be done using category3.xml file.

Environment

Symantec Protection Engine (SPE)

Resolution

To configure for Windows:
1. Download the category3.xml from this KB article.
2. Navigate to Symantec Protection Engine installation directory (Default for 7.8 and up: C:\Program Files\Symantec\Scan Engine)
3. Open configuration.xml in a plain text editor (Notepad.exe)
4. Locate the following value on the first line:  "version="######"
5. Open the category3.xml in a plain text editor (Notepad.exe)
6. Modify the version value to match the version number listed inside configuration.xml
7. Change "Ciphers" parameter value with desired cipher list. Please make sure used ciphers are compatible with TLSv1.2
8. Save changes to category3.xml
9. Copy category3.xml to Symantec Protection Engine installation directory (Default for 7.8 and up: C:\Program Files\Symantec\Scan Engine)
10. Restart Symantec Protection Engine service for the changes to take effect.


To configure for Linux:
1. At a shell prompt, obtain root credentials.
2. Download the category3.xml from this KB article.
3. Navigate to Symantec Protection Engine installation directory (Default: /opt/SYMCScan/bin )
4. Grep configuration.xml for version (cat configuration.xml | grep version)
5. Locate the following value:  "version="######"
6. Open the category3.xml in a plain text editor.
7. Modify the version value to match the version number listed inside configuration.xml
8. Change "Ciphers" parameter value with desired cipher list. Please make sure used ciphers are compatible with TLSv1.2
9. Save changes to category3.xml
10. Copy category3.xml to Symantec Protection Engine installation directory (Default: /opt/SYMCScan/bin )
11. Restart Symantec Protection Engine daemon for the changes to take effect (/etc/init.d/symcscan restart)

Note: Rename the attached file to "category3.xml" after it is downloaded.

Additional Information

You can use nmap utility to verify ciphers before and after the changes are made:

Example as below for port 8004:

1. Before adding category3.xml

C:\>nmap --script ssl-enum-ciphers -p 8004 <SPE_IP>
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-14 07:12 Eastern Daylight Time
Nmap scan report for <SPE_FQDN> (<SPE_IP>)
Host is up (0.0010s latency).

PORT     STATE SERVICE
8004/tcp open  p2pevolvenet
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.76 seconds


2. After adding category3.xml

C:\>nmap --script ssl-enum-ciphers -p 8004 <SPE_IP>
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-14 07:20 Eastern Daylight Time
Nmap scan report for <SPE_FQDN> (<SPE_IP>)
Host is up (0.0010s latency).

PORT     STATE SERVICE
8004/tcp open  p2pevolvenet
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds

Attachments

1634799133374__category3.xml get_app