affwebserv.log has the following messages repeating.
[1234/5678][Fri Oct 21 2022 12:34:56.001][SSLConfigurationHelper][WARNING][sm-Srca-00028] Invalid SSL cipher TLS_ECDHE_ECDSA_With_AES_256_GCM_SHA384 configured in SSLCipherConfig.properties.
[1234/5678][Fri Oct 21 2022 12:34:56.001][SSLConfigurationHelper][WARNING][sm-Srca-00024] Configured cipher TLS_RSA_With_AES_256_CBC_SHA256 is unsafe and vulnerable to attack. Consider removing the cipher from SSLCipherConfig.properties and use only GCM mode ciphers.
Release : 12.8.06 Build 2824
The Cipher string is case sensitive.
Following is the SSLCipher in the "{SPS}/Tomcat/webapps/affwebservices/WEB-INF/classes/SSLCipherConfig.properties"
SSLCiphers=TLS_ECDHE_ECDSA_With_AES_256_GCM_SHA384:TLS_ECDHE_RSA_With_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_With_AES_128_GCM_SHA256:TLS_ECDHE_RSA_With_AES_128_GCM_SHA256:TLS_DHE_RSA_With_AES_256_GCM_SHA384:TLS_DHE_DSS_With_AES_256_GCM_SHA384:TLS_RSA_With_AES_256_GCM_SHA384:TLS_DHE_RSA_With_AES_128_GCM_SHA256:TLS_DHE_DSS_With_AES_128_GCM_SHA256:TLS_RSA_With_AES_128_GCM_SHA256:TLS_RSA_With_AES_256_CBC_SHA256:TLS_RSA_With_AES_128_CBC_SHA256:TLS_RSA_With_AES_256_CBC_SHA:TLS_RSA_With_AES_128_CBC_SHA |
If you look at the cipher string, it has "With" which is not correct.
Please perform the following.
0. Backup "{SPS}/Tomcat/webapps/affwebservices/WEB-INF/classes/SSLCipherConfig.properties"
1. Stop both "CA Access Gateway Engine" and "CA Access Gateway Proxy" services.
2. Update "{SPS}/Tomcat/webapps/affwebservices/WEB-INF/classes/SSLCipherConfig.properties"
3. Start both "CA Access Gateway Engine" and "CA Access Gateway Proxy" services.
Following is a sample cipher that need to be updated.
Perform this to all 10 ciphers that were reported to be invalid.
SSLCiphers from
"TLS_ECDHE_ECDSA_With_AES_256_GCM_SHA384"
to
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384".
Now the 4 weak ciphers can be removed from the SSLCiphers.
TLS_RSA_With_AES_256_CBC_SHA256:TLS_RSA_With_AES_128_CBC_SHA256:TLS_RSA_With_AES_256_CBC_SHA:TLS_RSA_With_AES_128_CBC_SHA
The "{SPS}/Tomcat/webapps/affwebservices/WEB-INF/classes/SSLCipherConfig.properties" is used when the Access Gateway acts as a web client.
For example, when SPS is contacting VIP AuthHub, the SSL handshake need to be performed and that is where this WARNING gets logged.