What SSL/TLS protocols or ciphers are supported in DX NetOps Performance Management?

What SSL/TLS protocols or ciphers are supported in the DX NetOps Portal web server when HTTPS is configured?

What SSL/TLS protocols or ciphers are supported in the DX NetOps Data Aggregator server when HTTPS is configured?

What SSL/TLS protocols or ciphers are supported in the DX NetOps Data Collector server when HTTPS is configured?

Security scan error "Change the SSL/TLS server configuration to only allow strong key exchanges"

When a TLS client (such as a browser, or a .NET application) tries to connect to a TLS server (such as IBM Liberty), they negotiate a mutually available encryption suite to use. The client offers a list of its available cipher suites, the client responds with its list of available cipher suites, and they select the most secure, mutually available suite.

One family of encryption cipher suites used in TLS uses Diffie-Hellman key exchange.

Cipher suites using Diffie-Hellman key exchange are vulnerable to attacks, such as Logjam, when the key length is less that 2,048 bits. For example, see this discussion in Communications of the ACM: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

For maximum security, it might be considered desirable to disable these cipher suites, so there is no chance they will be selected in Production.

All supported DX NetOps Performance Management releases

• Portal: /opt/CA/PerformanceCenter/jetty/etc/ssl-lucky13.xml
• Data Aggregator: /opt/IMDataAggregator/apache-karaf/etc/jetty.xml
• Data Collector: /opt/IMDataCollector/apache-karaf/etc/jetty.xml

After enabling SSL on the systems following the steps from Secure DX NetOps documentation you can edit the supported protocols and ciphers to suit your environments requirements.

How to disable SSL/TLS Diffie-Hellman keys less that 2048 bits