Is it possible to restrict the communication protocol for the ports 509, 5250, and 8443 to TLSv1.2?
509 : EEM (CA Directory, itechpoz)
5250: EEM GUI
8443: CA WCC Tomcat port (the default for non-SSL is 8080; the default for SSL is 8443)
PORT 8443 (WCC)
1. Navigate to the CA_WCC_INSTALL_LOCATION/tomcat/conf directory
2. Edit the server.xml file
3. Look for the sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" parameter
4. Between the parentheses, remove everything except TLSv1.2
5. Save the file
6. Restart the WCC services
PORT 5250 (EEM)
1. Navigate to the IGW_LOC directory
2. Edit the igateway.conf file
3. Look for the <secureProtocol/> tag
4. Make the following edit: <secureProtocol>TLSv1_2</secureProtocol>
5. Save the file
6. Restart the iGateway service
Ciphers supported by EEM: https://knowledge.broadcom.com/external/article?articleId=46312
Example from igateway.conf:
<secureProtocol>TLSv1_2</secureProtocol>
<cipherlist>-ALL:HIGH:MEDIUM:!RC4</cipherlist>
PORT 509 (CA Directory)
TLSv1.2 is supported in EEM 12.6 for CA Directory
(This is because CALDAP which is used to communicate between iGateway and CA Directory does not support it in releases prior to 12.6)
1. Navigate to the DXHOME/config/ssld directory
2. Edit the itechpoz.dxc file
3. Look for the protocol = tls parameter
4. Make the following edit: protocol = tlsv12
5. Save the file
6. Restart the dxserver (itechpoz service)
The same cipherlist document above can be used.
Example from itechpoz.dxc:
#
# eiam repository
#
set ssl = {
cert-dir = "config/ssld/personalities"
ca-file = "config/ssld/itechpoz-trusted.pem"
cipher = "ALL:!EXPORT40:!ADH:!EXP:!LOW:!RC4:!SSLv3:!SSLv2"
protocol = tlsv12
};