Insecure and weak ciphers TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA in AdminUI
search cancel

Insecure and weak ciphers TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA in AdminUI

book

Article ID: 399227

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Vulnerabilities reported on SiteMinder AdminUI version 12.8 SP7 services.

Negotiated with the following insecure cipher suites: 

    TLS 1.2 ciphers: 

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA

Environment

SiteMinder AdminUI 12.8 SP7

Resolution

Successfully able establish the connection using the strong Ciphers on TLS1.2, once removed all the weak Ciphers available in the AdminUI configuration and introduced the strong Ciphers.

Refer the below snippet from Policy Server with the strong ciphers introduced:

<siteminder_home>/adminui/standalone/configuration/standalone-full.xml:

<https-listener name="https" socket-binding="https" no-request-timeout="120000" security-realm="SSLRealm" enabled-cipher-suites="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" enabled-protocols="TLSv1.2,TLS1.3" enable-http2="true"/>

Steps: 

  1. Stop the AdminUI services;
  2. Go to <siteminder_home>/adminui/standalone/configuration;
  3. Take the backup of standalone-full.xml;
  4. Modify the "https-listener name" block with strong Ciphers as mentioned in the above example;
  5. Save the file and quit;
  6. Start the AdminUI services.

Note:

  • Test the changes in a lower environment before rolling it out to production to validate the selected cipher support in the network;
  • TLS 1.3 is not support on AdminUI versions 12.8 SP8 and lower (1).

 

Additional Information

Powered by Wolken Software