Identity Manager Provisioning Directory: how to disable TLS cipher suites that use Diffie-Hellman prime modulus smaller than 2048 bits
search cancel

Identity Manager Provisioning Directory: how to disable TLS cipher suites that use Diffie-Hellman prime modulus smaller than 2048 bits

book

Article ID: 275436

calendar_today

Updated On:

Products

CA Identity Manager CA Directory

Issue/Introduction

Provisioning Directory in our Identity Manager installation is using TLSv1.2 with cipher suites, some of which use Diffie-Hellman prime modulus smaller than 2048 bits:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

How can we disable the above  cipher suites in Provisioning Directory?

Another customer reported that their vulnerability scanning tool reported the following:

Ciphers that are reported as vulnerable: (key sizes less than 2048)

PROTOCOL  CIPHER               NAME   GROUP  KEY-SIZE   FORWARD-SECRET  CLASSICAL-STRENGTH   QUANTUM-STRENGTH
TLSv1.2   DHE-RSA-AES256-GCM-SHA384   DHE    1024       yes             80                   low
TLSv1.2   DHE-RSA-AES128-GCM-SHA256   DHE    1024       yes.            80                   low
TLSv1.2   DHE-RSA-AES256-SHA256       DHE    1024       yes             80                   low
TLSv1.2   DHE-RSA-CAMELLIA256-SHA     DHE    1024       yes             80                   low
TLSv1.2   DHE-RSA-AES128-SHA256       DHE    1024       yes             80                   low
TLSv1.2   DHE-RSA-CAMELLIA128-SHA     DHE    1024       yes             80                   low
TLSv1.2   DHE-RSA-AES256-SHA          DHE    1024       yes             80                   low
TLSv1.2   DHE-RSA-AES128-SHA          DHE    1024       yes             80                   low

 

Environment

Release 14.1
Component: CA Directory

Resolution

In order to disable Diffie-Hellman cipher suites in IM Provisioning Directory (IMPD), you need to modify the impd.dxc file located under:

/opt/CA/Directory/dxserver/config/ssld/ in case of vApp or standalone installation on Linux (default location)

C:\Program Files\CA\Directory\dxserver\config\ssld in case standalone installation on Windows (default location)

The above out of the box file contains this line:

cipher = "HIGH:!SSLv2:!EXP:!aNULL:!eNULL"

You can disable all DHE cipher suites by modifying the above line like this:

cipher = "HIGH:!SSLv2:!EXP:!aNULL:!eNULL:!DHE"

or if you want you may disable specificcipher suites by mentioning all of them, like this:

cipher = "HIGH:!SSLv2:!EXP:!aNULL:!eNULL:!DHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-CAMELLIA128-SHA:!DHE-RSA-CAMELLIA256-SHA"

To modify the above file in vApp you need to logon into vApp shell as config user and then switch to dsa user:
su - dsa
and then you can use vi editor to modify the file.

In Linux simply logon as dsa user.

In Windows use Administrator user.

You need to restart all IMPD data DSAs and the router DSA in order for the change to take effect.

IMPD DSAs:

<hostname>-impd-main (port 20394)
<hostname>-impd-co (port 20396)
<hostname>-impd-inc (port 20398)
<hostname>-impd-notify (port 20404)
<hostname>-imps-router (port 20391)

Additional Information

Essentially, by adding !DHE to your current cipher setting will disable support of the whole DHE group

Powered by Wolken Software