CA Identity Suite, disable insecure Insecure Ciphers on Port 20390
search cancel

CA Identity Suite, disable insecure Insecure Ciphers on Port 20390

book

Article ID: 274324

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

vAapp is installed with the insecure ciphers:

20390 Diffie-Hellman group smaller than 2048 bits *

      The following SSL/TLS cipher suites use Diffie-Hellman a prime modulus smaller than 2048 bits:

    * TLS 1.2 ciphers:

       * TLS_DHE_RSA_WITH_AES_128_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits



       * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 with a Diffie-Hellman prime modulus of 1024 bits



       * TLS_DHE_RSA_WITH_AES_256_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits



       * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 with a Diffie-Hellman prime modulus of 1024 bits



       * TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits



       * TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA with a Diffie-Hellman prime modulus of 1024 bits



       * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 with a Diffie-Hellman prime modulus of 1024 bits



       * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 with a Diffie-Hellman prime modulus of 1024 bits

The insecure ciphers are shown in the output of the following command:

nmap -sV -p 20390 --script ssl-enum-ciphers <IP address>

The documents below are applicable:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/virtual-appliance/configuring-virtual-appliance.html


https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/reference/advanced-configuration-options/domain-configuration/tls-configuration.html

 

Still they do not completely clarify how to disable the above ciphers.

Environment

Release : 14.4

Resolution

1. The following format should work for IMPS listening on port 20390:

Append the following string to the value of "TLSCipherSuite" in im_ps.conf
":-DHE-RSA-AES128-SHA:-DHE-RSA-AES128-SHA256:-DHE-RSA-AES128-GCM-SHA256:-DHE-RSA-AES256-GCM-SHA384:-DHE-RSA-AES256-SHA:-DHE-RSA-AES256-SHA256:-DHE-RSA-CAMELLIA128-SHA:-DHE-RSA-CAMELLIA256-SHA"

Alternatively, append ":!DHE" to disable all DHE algorithms.

You should restart the service for the changes to take effect.

2. A separate option is available if you want JCS to be changed:

Open the  java.security or java.conf file and add the following line to it

-for Stadalone Server: Open ConnectorServer/jvm/lib/security/java.security

-for Vapp:  Open  /opt/CA/VirtualAppliance/custom/java.conf

jdk.tls.disabledAlgorithms= TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 

Add the following line to the /opt/CA/IdentityManager/ConnectorServer/data/jvm_options.conf: 

-Djava.security.properties=<path to the java.conf or java.security>

For example: -server -Xms128M -Xmx1024M -Djava.awt.headless=true -Dcom.sun.management.jmxremote -Djavax.net.debug=all -Djava.security.properties=/opt/CA/VirtualAppliance/custom/java.conf

Restart the JCS service

3. Always maintain the latest cumulative patch installed.


https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/release-notes/Virtual-Appliance-Release-Notes/Latest-Operating-System-Security-Cumulative-Patch.html

 

Powered by Wolken Software