How do I enable TLSv1.2 on ports 509, 5250 and 8443 and specify a cipherlist?
search cancel

How do I enable TLSv1.2 on ports 509, 5250 and 8443 and specify a cipherlist?

book

Article ID: 74517

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent

Issue/Introduction

Is it possible to restrict the communication protocol for the ports 509, 5250, and 8443 to TLSv1.2?

509 :  EEM (CA Directory, itechpoz)
5250: EEM GUI
8443:  CA WCC Tomcat port (the default for non-SSL is 8080; the default for SSL is 8443)

Environment

CA Embedded Entitlements Manager r12.51 CR05 (12.51.5.24)
CA Workload Control Center r11.4+

Resolution

PORT 8443 (WCC)

1. Navigate to the CA_WCC_INSTALL_LOCATION/tomcat/conf directory
2. Edit the server.xml file
3. Look for the sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" parameter
4. Between the parentheses, remove everything except TLSv1.2
5. Save the file
6. Restart the WCC services

PORT 5250 (EEM)

1. Navigate to the IGW_LOC directory
2. Edit the igateway.conf file
3. Look for the <secureProtocol/> tag
4. Make the following edit: <secureProtocol>TLSv1_2</secureProtocol>
5. Save the file
6. Restart the iGateway service

Ciphers supported by EEM

Example from igateway.conf:

<secureProtocol>TLSv1_2</secureProtocol>
<cipherlist>-ALL:HIGH:MEDIUM:!RC4</cipherlist>

PORT 509 (CA Directory) 

TLSv1.2 is supported in EEM 12.6 for CA Directory

(This is because CALDAP which is used to communicate between iGateway and CA Directory does not support it in releases prior to 12.6) 

1. Navigate to the DXHOME/config/ssld directory
2. Edit the itechpoz.dxc file
3. Look for the protocol = tls parameter
4. Make the following edit: protocol = tlsv12
5. Save the file
6. Restart the dxserver (itechpoz service)

The same cipherlist document above can be used.

Example from itechpoz.dxc:

#  
# eiam repository  
#  
set ssl = {  
cert-dir = "config/ssld/personalities"  
ca-file = "config/ssld/itechpoz-trusted.pem"  
cipher = "ALL:!EXPORT40:!ADH:!EXP:!LOW:!RC4:!SSLv3:!SSLv2"
protocol = tlsv12  
};

Additional Information