Disable RC4 ciphers in JBOSS as per PCI requirements
search cancel

Disable RC4 ciphers in JBOSS as per PCI requirements

book

Article ID: 44779

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

In cryptography, RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4, see below) is a stream cipher. While remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. Jboss as well uses RC4 chipers internally.

How to disable RC4 Chiper in Jboss shipped along with PIM.

 

Environment

All the PIM Enterprise Management releases that use JBoss 4.2.3

Resolution

  • Stop Jboss
  • In the server.xml file add the following in the connector(s) tag.

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

After adding in the connector tag, it would be as below (this is only a sample):

 

<Connector SSLEnabled="true" URIEncoding="UTF-8" clientAuth="false" emptySessionPath="true" keyAlias="entm" keystoreFile="/opt/jboss-4.2.3.GA/server/default/deploy/IdentityMinder.ear/custom/ppm/truststore/ssl.keystore" keystorePass="secret" maxThreads="150" port="18443" protocol="HTTP/1.1" scheme="https" secure="true" server="PIM" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>

Location of the server.xml file:
JBOSS_HOME/server/default/deploy/jboss-web.deployer

  • delete these folders below JBOSS_HOME/server/default/
    tmp
    work
    log
  • start Jboss

Additional Information

Currently supported ciphers in JBOSS, extracted using nmap

| ssl-enum-ciphers:

| TLSv1.1:

| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 768) - E
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) - C
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp160k1) - D
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A

| TLSv1.2:

| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 768) - E
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 768) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 768) - C
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp160k1) - D
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp160k1) - A
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (secp160k1) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A

Powered by Wolken Software