ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Symantec Directory - Disable SSL RC4 Cipher Suites Supported by Management UI (Linux)

book

Article ID: 237520

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

You may find vulnerability scan report pointing to the fact that Symantec Directory component running on (or utilizing) port 9443 (which is dedicated to DXagent process) is using RC4 Cipher Suites and looking for a way to disable this Cipher Suites.

Environment

Release : 14.1

Component : CA Directory

Resolution

Currently we do not have a way to disable RC4 ciphers for DXagent/port 9443. Our engineering team is working internally to make this possible but in the mean time if you are not using Directory Manager component, here are your options:

For Linux, there are two workarounds to disable DXagent service.

A) Rename the DXagent binary at location: $DXHOME/dxserver/bin
File name: dxagent

Outcome:
1. Once the file is renamed the dxagent services will not be running.
2. DXagent service will remain disabled after reboot as well.

B) Comment out the code in dxserver auto-start file at location: /etc/rc.d/init.d
File name: dxserver

Prerequisite: 
Stop DXagent services manually by executing ./stop_dxagent.sh from location $DXHOME/dxserver/dxagent

Steps to disable services to start automatically upon an OS reboot:

Need the below code to be commented out from /etc/rc.d/init.d/dxserver file.

        # start dxagent if it exists
           if [ -x $DXHOME/bin/dxagent ]; then
            echo "Starting DXagent" | tee -a $DXLOG
            $SU - $DXUSER -c "cd ${DXHOME}/bin; ./dxagent start" >> $DXLOG 2>&1
        fi

Outcome:
1. We have verified that once stopped manually prerequisite services will not run.
2. We have verified that once rebooted service will not start automatically. If required, it can be started manually with ./start_dxagent.sh from location $DXHOME/dxserver/dxagent.

Conclusion:
1) These are simple workaround and can be managed without deleting the services completely.
2) Later if DXagent service may require it can be resumed easily without upgrade/reinstall.