ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to block weak protocols and ciphers in NFA?

book

Article ID: 228221

calendar_today

Updated On:

Products

CA Network Flow Analysis (NetQos / NFA)

Issue/Introduction

If you wish to completely block SSLv2, SSLv3, TLS1.0, TLS 1.1 and / or any weak ciphers, please see the below.

Cause

Vulnerability scanner may flag weak protocols or ciphers allowed which could be a security issue.

Resolution

For Java processes to block weak protocols or ciphers search for: jdk.tls.disabledAlgorithms in the x:\CA\NFA\jre\lib\security\java.security file.

Add this line if it is not there already:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

 

For Windows processes:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/network-flow-analysis/21-2/installing/initial-configuration/Enable-HTTPS-between-Console-and-Harvester/security-settings-for-protection-against-beast-and-weak-diffie-hellman-moduli.html