Layer 7 API Gateway" How to Disable TLS 1.0 in the CA API Gateway and Enterprise System Monitor ("ESM") Tools

book

Article ID: 10650

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway Enterprise Service Manager (Layer 7) CA API Gateway

Issue/Introduction

This article describes the steps required to to disable usage of TLS v1.0 in the API Gateway for improved compliance with PCI 3.1.

As per version 3.1 of PCI council DSS, SSL versions and TLSv1.0 are no longer acceptable after June 30, 2016 for PCI compliance. SSL and early TLS are not considered to be strong cryptography and cannot be used as a security control after June 30, 2016. The best response is to disable SSL entirely and migrate to a more modern encryption protocol, which at this time of publication is a minimum of TLSv1.1, although users are strongly encouraged to consider TLSv1.2.

Environment

The provided solution was tested in a SSG 8.x & 9.x series nodes and ESM 1.13 monitoring enabled on all nodes.

Resolution

The following instructions should be followed if TLS 1.0 needs to be disabled completely from the CA API Gateway and ESM components:

    1. Add the following to the Layer 7 Policy Manager.ini file (found in the Policy Manager installation folder): -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
    2. Start Policy Manager and login to API Gateway using port 9443.
    3. Select Tasks > Manage Listen Ports.
    4. Select port 8443 (Default HTTPS) and click Properties.
    5. Select SSL/TLS Settings tab and leave only TLS v1.2 checked, then click OK.
    6. Similarly, select port 2124 (Node HTTPS 2124) and click Properties.
    7. Select SSL/TLS Settings tab and leave only TLS v1.2 checked, then click OK.
    8. Click Close, and then click on Disconnect in Policy Manager to disconnect the session.
    9. Connect to the Gateway via SSH, login as ssgconfig, then choose 3) Use a privileged shell (root).
    10. Modify the Enterprise Manager: (/opt/SecureSpan/EnterpriseManager/var/emconfig.properties)
      1. add/edit
        em.server.listenport.protocols=TLSv1.2
         
        The protocols value is a string like "SSLv3,TLSv1,TLSv1.1,TLSv1.2" and controls what TLS versions are enabled on the ESM's listen port.
    11. Modify the Enterprise Manager (/opt/SecureSpan/EnterpriseManager/bin/enterprisemanager.sh) launch script accordingly to add support for TLSv1.2:
      • EM_JAVA_OPTS="-XX:MaxPermSize=256m -Xmx512m -Djava.security.egd=file:/dev/./urandom -Dhttps.protocols=TLSv1.2"
    12. Modify the SecureSpan Process Controller (/opt/SecureSpan/Controller/bin/processcontroller.sh) launch script accordingly to add support for TLSv1.2:
      • PC_JAVAOPT="-Djava.security.egd=file:/dev/./urandom -Dhttps.protocols=TLSv1.2"
    13. Modify the Host Controller properties file (/opt/SecureSpan/Controller/etc/host.properties) by adding a new line to add support for TLSv1.2:
      • host.controller.sslProtocols=TLSv1.2
    14. Reboot the node.
    15. Steps 9 through 13 should be performed on all cluster nodes.
    16. Start Policy Manager and login to API Gateway using port 8443.
    17. Select Tasks > Manage Listen Ports.
    18. Select port 9443 (Default HTTPS) and click Properties.
    19. Select SSL/TLS Settings tab and leave only TLS v1.2 checked, then click OK.

Additional Information

The files noted in steps 10-12 may be overwritten in an upgrade to the Gateway application. They are not considered to be "upgrade safe" as they are not typically meant to be modified by users. This should be kept in mind when upgrading the Gateway and may need to become part of the upgrade procedure as those three steps may need to be reapplied after an upgrade.