Introduction: 

Security scan shows that EEM is allowing SSL/TLS and RC4 communication.

• SSL Server supports Weak Encryption Vulnerability.
• SSL/TLS use of weak RC4 cipher. 

Port 509 is used for communication between EEM Server and CA Directory. 

The default cipher suite for CA Directory allows RC4.

Question: 

How can I remove RC4 vulnerability from the configuration?

Environment:  

CA EEM 12.x on Windows/Unix/Linux platforms.

Answer: 

1. You must modify file "itechpoz.dxc" located in

• Windows:     %DXHOME%\config\ssld directory
• Unix/Linux:   $DXHOME/config/ssld directory 

2. Add the following parameter in itechpoz.dxc to disable the RC4 cipher suites.

cipher = "ALL:!ADH:!DES:!LOW:!EXPORT40:!RC4" 

The itechpoz.dxc would look this after adding the above parameter: 

set ssl = { 

cert-dir = "config/ssld/personalities" 

ca-file = "config/ssld/itechpoz-trusted.pem" 

cipher = "ALL:!ADH:!DES:!LOW:!EXPORT40:!RC4" 

protocol = tls 

}; 

3. Recycle dxserver.

• Windows
  • dxserver stop all
  • dxserver start all
•  Unix/Linux
  • su - dsa -c "dxserver stop all"
  • su - dsa -c "dxserver start all"

Additional Information:

You can check following link to understand the syntax of the cypher string ("ALL:!ADH:!DES:!LOW:!EXPORT40:!RC4")

http://www.openssl.org/docs/apps/ciphers.html  

Release:
Component: ETEIAM