search cancel

Configure EEM to use TLS1.2 with strong ciphersuite

book

Article ID: 227618

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

This document describes procedures to configure EEM (ports 5250 and 509) to use TLS1.2 with strong list of ciphers.

Cause

Infrastructure security team flagged EEM due to the support of lower TLS protocols.

Environment

Release : 12.6 and higher

Component : CA Embedded Entitlements Manager

Resolution

----------
PORT 5250 (EEM)
----------

1. Navigate to the IGW_LOC directory
2. Edit the igateway.conf file
3. Look for the <secureProtocol/> tag
4. Make the following edit: <secureProtocol>TLSv1_2</secureProtocol>
5. Update the <cipherlist> and Save the file
6. Restart the iGateway service


Example from igateway.conf:

<secureProtocol>TLSv1_2</secureProtocol>
<cipherlist>-ALL:HIGH:MEDIUM:!RC4</cipherlist>

----------
PORT 509 (CA Directory) - 
----------

1. Navigate to the DXHOME/config/ssld directory
2. Edit the itechpoz.dxc file
3. Look for the protocol = tls parameter
4. Make the following edit: protocol = tlsv12
5. Update the cipher and Save the file
6. Restart the dxserver (itechpoz service)

 Example from itechpoz.dxc:

#

# eiam repository  
#  
set ssl = {  
cert-dir = "config/ssld/personalities"  
ca-file = "config/ssld/itechpoz-trusted.pem"  
cipher = "ALL:!EXPORT40:!ADH:!EXP:!LOW:!RC4:!SSLv3:!SSLv2"
protocol = tlsv12  
};

Note: - The aforementioned list of ciphers are for example purposes only. Use the updated list of ciphers according to the infrastructure security team's recommendation.