Smarts Web Console: Disabling Weak SSL Certificates or Ciphers in Tomcat 6; How to restrict use of weak SSL ciphers in Smarts web console
book
Article ID: 332117
calendar_today
Updated On:
Products
VMware Smart Assurance
Issue/Introduction
Symptoms:
This article provides steps to disable weak certificates or ciphers for the sm_tomcat service used for the Smarts Web Console.
McAfee MVM 7.5 reports that the port 8080 (default port for Smarts WebConsole) allows weak SSL certificates.
Environment
VMware Smart Assurance - SMARTS
Cause
Tomcat versions 5.5 and 6 by default allows weak ciphers. The following ciphers are considered weak (less than 128 bit encryption)
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Resolution
These are the steps to resolve the issue.
- Find the server.xml file in the <Basedir>/CONSOLE/smarts/tomcat/conf
- Create a backup of the server.xml file.
- Add the below values to the existing config for the port that the console is using.
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" - Example acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="SSL"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
keystoreFile="MyJeyFile.key" keystorePass="Poodle"
truststoreFile="MyTrustStore.truststore" truststorePass="MyPass"/>
- Restart sm_tomcat service and the new security settings will be in effect.
Feedback
thumb_up
Yes
thumb_down
No