This article explains the steps required to disable weak ciphers in Aria Operations for Logs.

Aria Operations for Logs 8.x

1. Before following the steps below, take a snapshot of each node in the cluster as per How to take a Snapshot of VMware Aria Operations for Logs
2. SSH to the primary node of the Aria Logs cluster
3. Change to the following directory:
   
   cd /usr/java/jre-vmware/conf/security
   
   
4. Take a backup of the file java.security
   
    cp java.security java.security.bk
   
   
5. Open /usr/java/jre-vmware/conf/security/java.security in a text editor
6. Add the ciphers you want to remove at the end of the file in the below format:
   
   jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    RSA keySize < 512, DESede, \
    TLS_RSA_WITH_AES_256_CBC_SHA, \
    TLS_RSA_WITH_AES_256_CBC_SHA256, \
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
    TLS_RSA_WITH_AES_128_CBC_SHA, \
    TLS_RSA_WITH_AES_128_CBC_SHA256, \
    include jdk.disabled.namedCurves
   
   For example you can add ciphers to it like below:
   
   jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    RSA keySize < 512, DESede, \
    TLS_RSA_WITH_AES_256_CBC_SHA, \
    TLS_RSA_WITH_AES_256_CBC_SHA256, \
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
    TLS_RSA_WITH_AES_128_CBC_SHA, \
    TLS_RSA_WITH_AES_128_CBC_SHA256, \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \
    include jdk.disabled.namedCurves
   
   
7. Save the file.
8. Restart the loginsight service with the following command.
   
   systemctl restart loginsight
   
   
9. If this is a cluster, repeat the process for each node individually.

To check whether a specific cipher is disabled on the Aria Operations for Logs appliance, run the following command on each node and review the output:

openssl s_client -connect localhost:<Port> -ciphersuites <Cipher>

Make sure to replace <Port> and <Cipher> with the appropriate values.

For example: 
openssl s_client -connect localhost:1514 -ciphersuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
openssl s_client -connect localhost:1514 -ciphersuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

If the cipher is disabled, you will observe a response similar to the following:

CONNECTED(00000003)
C0312BF4367F0000:error:0A0000B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available:ssl/statem/statem_clnt.c:3746:No ciphers enabled for max supported SSL/TLS version
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

If the ciphers are enabled, you will notice exchange of certificates in the response.