Disabling weak/old ciphers on Port 9543, 443, 6514 and 1514 in Aria Operations for Logs
search cancel

Disabling weak/old ciphers on Port 9543, 443, 6514 and 1514 in Aria Operations for Logs

book

Article ID: 325745

calendar_today

Updated On: 04-24-2025

Products

VMware Aria Suite

Issue/Introduction

This article explains the steps required to disable weak ciphers in Aria Operations for Logs.

Environment

Aria Operations for Logs 8.x

Resolution

  1. Before following the steps below, take a snapshot of each node in the cluster as per How to take a Snapshot of VMware Aria Operations for Logs
  2. SSH to the primary node of the Aria Logs cluster
  3. Change to the following directory:

    cd /usr/java/jre-vmware/conf/security

  4. Take a backup of the file java.security

     cp java.security java.security.bk

  5. Open /usr/java/jre-vmware/conf/security/java.security in a text editor
  6. Add the ciphers you want to remove at the end of the file in the below format:

    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
        DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
        RSA keySize < 512, DESede, \
        TLS_RSA_WITH_AES_256_CBC_SHA, \
        TLS_RSA_WITH_AES_256_CBC_SHA256, \
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
        TLS_RSA_WITH_AES_128_CBC_SHA, \
        TLS_RSA_WITH_AES_128_CBC_SHA256, \
        include jdk.disabled.namedCurves

    For example you can add ciphers to it like below:

    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
        DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
        RSA keySize < 512, DESede, \
        TLS_RSA_WITH_AES_256_CBC_SHA, \
        TLS_RSA_WITH_AES_256_CBC_SHA256, \
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
        TLS_RSA_WITH_AES_128_CBC_SHA, \
        TLS_RSA_WITH_AES_128_CBC_SHA256, \
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \
        include jdk.disabled.namedCurves

  7. Save the file.
  8. Restart the loginsight service with the following command.

    systemctl restart loginsight

  9. If this is a cluster, repeat the process for each node individually.
Powered by Wolken Software