Enabling TLSv1.2 and strong ciphers on ports 509, 5250, 8443 and 9443
search cancel

Enabling TLSv1.2 and strong ciphers on ports 509, 5250, 8443 and 9443

book

Article ID: 74517

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

Restricting ports 509, 5250, 8443 and 9443 to TLSv1.2 with strong ciphers
509 :  EEM (CA Directory, itechpoz)
5250: EEM GUI
8443:  CA WCC Tomcat port
9443:  CA AEWS Tomcat port

Environment

AutoSys Workload Automation

Resolution

PORT 8443 (WCC) and PORT 9443 (AEWS)

  1. Enforcement of TLS 1.2 and strong ciphers - follow the steps in Weak SSL/TLS Key Exchange being reported by Qualys scans against Autosys Web Server or WebUI (WCC) ports

 

PORT 5250 (EEM)

  1. Navigate to the IGW_LOC directory
  2. Edit the igateway.conf file
  3. Look for the <secureProtocol/> tag  in the section <port>5250</port> and make it look like  <secureProtocol>TLSv1_2</secureProtocol>
  4. Look for the <cipherlist/> tag in the section <port>5250</port> and make it look like  <cipherlist>ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256</cipherlist>
  5. Save the file
  6. Restart the iGateway service

    Example from igateway.conf:

<secureProtocol>TLSv1_2</secureProtocol>
<cipherlist>ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256</cipherlist>

Note: Ciphers supported by EEM

 

Example Path locations:
Linux:
/opt/CA/SharedComponents/iTechnology
Windows:
C:\Program Files\CA\SharedComponents\iTechnology

Command to stop and start iGateway
Linux Stop Command:
run as root
$IGW_LOC/S99igateway stop

Windows Stop Command:
Go to Windows services and stop CA iTechnology iGateway 


Linux Start Command:
run as root
$IGW_LOC/S99igateway start

Windows Start Command:
Go to Windows services and Start CA iTechnology iGateway

 

 

PORT 509 (CA Directory) 

  1. Navigate to the DXHOME/config/ssld directory
  2. Edit the itechpoz.dxc file
  3. Look for the protocol = tls parameter
  4. Make the following edit: protocol = tlsv12
  5. edit the list of ciphers in the cipher =  section to make it look like: cipher = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256"
  6. Save the file
  7. Restart the dxserver (itechpoz service)


The same cipherlist document above can be used.

Example from itechpoz.dxc:

#  
# eiam repository  
#  
set ssl = {  
cert-dir = "config/ssld/personalities"  
ca-file = "config/ssld/itechpoz-trusted.pem"  
cipher = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256"
protocol = tlsv12  
};

Example Path locations:
Linux:
/opt/CA/SharedComponents/Directory/dxserver/config\ssld
Windows:
C:\Program Files\CA\SharedComponents\Directory\dxserver\config\ssld

Command to stop and start CA Directory
Linux Stop Command:
su - dsa
cd /opt/CA/SharedComponents/CADirectory/dxserver/bin
./dxserver stop all

Windows Stop Command:
Go to Windows services and stop CA Directory - itechpoz

Linux Start Command:
su - dsa
cd /opt/CA/SharedComponents/CADirectory/dxserver/bin
./dxserver start all

Windows Start Command:
Go to Windows services and Start CA Directory - itechpoz

Additional Information


 

Powered by Wolken Software