This document describes procedures to configure EEM (ports 5250 and 509) to use TLS1.2 with strong list of ciphers.

Release : 12.6 and higher

Component : CA Embedded Entitlements Manager

Infrastructure security team flagged EEM due to the support of lower TLS protocols.

----------
PORT 5250 (EEM)
----------

1. Navigate to the IGW_LOC directory
2. Edit the igateway.conf file
3. Look for the <secureProtocol/> tag
4. Make the following edit: <secureProtocol>TLSv1_2</secureProtocol>
5. Update the <cipherlist> and Save the file
6. Restart the iGateway service

Example from igateway.conf:

<secureProtocol>TLSv1_2</secureProtocol>
<cipherlist>-ALL:HIGH:MEDIUM:!RC4</cipherlist>

----------
PORT 509 (CA Directory) - 
----------

1. Navigate to the DXHOME/config/ssld directory
2. Edit the itechpoz.dxc file
3. Look for the protocol = tls parameter
4. Make the following edit: protocol = tlsv12
5. Update the cipher and Save the file
6. Restart the dxserver (itechpoz service)

 Example from itechpoz.dxc:

#

# eiam repository  
#  
set ssl = {  
cert-dir = "config/ssld/personalities"  
ca-file = "config/ssld/itechpoz-trusted.pem"  
cipher = "ALL:!EXPORT40:!ADH:!EXP:!LOW:!RC4:!SSLv3:!SSLv2"
protocol = tlsv12  
};

Note: - The aforementioned list of ciphers are for example purposes only. Use the updated list of ciphers according to the infrastructure security team's recommendation.