Default Ciphers on port 2124 are Weak - Looking for Strong Cipher list
search cancel

Default Ciphers on port 2124 are Weak - Looking for Strong Cipher list

book

Article ID: 369058

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Default configuration From Policy Manager Show  they are all “weak" Ciphers.  Here’s the default config of this port:

- Is Broadcom planning to update the default installation of port 2124?

- Do you think it’s safe for us to enable TLS 1.3 and more ciphers on this port?

Environment

CA API Gateway 11.0 , 11.1

Cause

was weak ciphers  on default list for 11.0

Resolution

GW 11.0 had several weak ciphers in the default list, which were removed later on Gateway 11.1.

For Gateway 11.0 version do you need to add this ciphers to system.properties file, then the default Ciphersuites are set based its value.

 

Note :  this property has to be added BEFORE gateway first start, otherwise, gateway will use its own default value.
            After the listen port is created, this property will be ignored. 

example used added on system.properties :

com.l7tech.server.listener.initinternodeciphers=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256

you can add the following as requested (comma separated):

          - TLS_AES_256_GCM_SHA384
          - TLS_AES_128_GCM_SHA256
          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256