search cancel

Configuring upgraded Data Center Security 6.9.0+ systems for higher security encryption

book

Article ID: 256488

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

You have a Data Center Security manager that has been upgraded from 6.8.2 or earlier and is still configured for lesser encryption than the manager and agents are capable of supporting

Environment

Managers that had earlier versions of the Data Center Security or Critical System Protection manager installed

Cause

Earlier versions of Data Center Security and Critical System Protection managers were configured by default to use encryption ciphers that have since been superseded by superior options.  The upgrade of a Data Center Security manager does not alter these settings so they must be changed manually if you wish to use them in your environment

Common legacy ciphers include TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA and the specific ciphers configured for use on your manager can be seen by searching the (install directory)\tomcat\conf\server.xml file for:

ciphers="

 

Resolution

Make a backup copy then update all examples of the ciphers setting in your DCS 6.9.0+ (install directory)\tomcat\conf\server.xml to the following:

ciphers="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"

Save the file and restart the Data Center Security Manager service.