How can we disable SSLv2/SSLv3 protocol in Federation Manager?
search cancel

How can we disable SSLv2/SSLv3 protocol in Federation Manager?

book

Article ID: 38938

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Question: 

We need to disable SSLv2 protocols on Federation Manager. Could you please let us know how we can do it?

We should proceed the same way if we should disable SSLv3 as well?

 

Environment:  

FEDMA R12.x

 

Answer: 

In order to disable SSLv2 protocol, you will need to modify the following files:

1) server.conf file (under the \secure-proxy\proxy-engine\conf folder in your Federation Manager install path)

  • Search for the sslparams section, and verify SSLv2 is not enabled:
    <sslparams>
    # Set the SSL protocol version to support: SSLv2, SSLv3, TLSv1
    # WARNING: SSL version 2 should not be included due to security concerns.
    versions="SSLv3"
    ciphers="-RSA_With_Null_SHA,+RSA_With_Null_MD5,-RSA_With_RC4_SHA,+RSA_With_RC4_MD5,+RSA_With_DES_CBC_SHA,+RSA_Export_With_RC4_40_MD5,-RSA_Export_With_DES_40_CBC_SHA,+RSA_Export_With_RC2_40_CBC_MD5,-DH_RSA_With_DES_CBC_SHA,-DH_RSA_With_3DES_EDE_CBC_SHA,-DH_RSA_Export_With_DES_40_CBC_SHA,-DH_DSS_With_DES_CBC_SHA,-DH_DSS_Export_With_DES_40_CBC_SHA,-DH_Anon_With_RC4_MD5,-DH_Anon_With_DES_CBC_SHA,-DH_Anon_With_3DES_EDE_CBC_SHA,-DH_Anon_Export_With_DES_40_CBC_SHA,-DH_Anon_Export_With_RC4_40_MD5,-DHE_RSA_With_DES_CBC_SHA,-DHE_RSA_Export_With_DES_40_CBC_SHA,-DHE_DSS_With_DES_CBC_SHA,-DHE_DSS_Export_With_DES_40_CBC_SHA"
    fipsciphers="+DHE_DSS_With_AES_256_CBC_SHA, +DHE_RSA_With_AES_256_CBC_SHA, +RSA_With_AES_256_CBC_SHA, +DH_DSS_With_AES_256_CBC_SHA, +DH_RSA_With_AES_256_CBC_SHA, +DHE_DSS_With_AES_128_CBC_SHA, +DHE_RSA_With_AES_128_CBC_SHA, +RSA_With_AES_128_CBC_SHA, +DH_DSS_With_AES_128_CBC_SHA, +DH_RSA_With_AES_128_CBC_SHA, +DHE_DSS_With_3DES_EDE_CBC_SHA, +DHE_RSA_With_3DES_EDE_CBC_SHA, +RSA_With_3DES_EDE_CBC_SHA, +DH_DSS_With_3DES_EDE_CBC_SHA"
    # Covalent SSL CA certificate bundle and certs path to be converted
    # The bundle and/or certs located at defined location will be converted
    # to binary (DER) format and loaded as SSLParams.
    # NOTE: Only put Base64 (PEM) encoded cert files/bundles in the covalent
    # certificate directory.
    cacertpath="C:\F6\CA\FederationManager\secure-proxy\SSL\certs"
    cacertfilename="C:\F6\CA\FederationManager\secure-proxy\SSL\certs\ca-bundle.cert"
    </sslparams>

2) httpd-ssl.conf file (under the \secure-proxy\httpd\conf\extra in your Federation Manager install path)

  • Please add this line inside VirtualHost section, after "SSLEngine on" line. (note: case is important)
    SSLProtocol all -SSLv2

 

This is also applicable for disabling SSLv3, where you should set on each file above, the following settings:

1) versions="TLSv1"

2) SSLProtocol all -SSLv2 -SSLv3

 

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:
Powered by Wolken Software