Enabling TLSv1.2 on ports 509, 5250 and 8443 and specifying a cipherlist.
search cancel

Enabling TLSv1.2 on ports 509, 5250 and 8443 and specifying a cipherlist.

book

Article ID: 74517

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent

Issue/Introduction

Is it possible to restrict the communication protocol for the ports 509, 5250, and 8443 to TLSv1.2?

509 :  EEM (CA Directory, itechpoz)
5250: EEM GUI
8443:  CA WCC Tomcat port (the default for non-SSL is 8080; the default for SSL is 8443)

Environment

CA Embedded Entitlements Manager r12.51 CR05 (12.51.5.24) +
CA Workload Control Center r11.4+

Resolution

PORT 8443 (WCC)

  1. Navigate to the CA_WCC_INSTALL_LOCATION/tomcat/conf directory
  2. Edit the server.xml file
  3. Look for the sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" parameter
  4. Between the parentheses, remove everything except TLSv1.2
  5. Save the file
  6. Restart the WCC services


Example Path locations:
Linux:
/opt/CA/WorkloadAutomationAE/wcc
Windows:
C:\Program Files\CA\WorkloadAutomationAE\wcc

Commands to stop and start WCC:
Linux Stop command:
- source Autosys environment:
unisrvcntr stop CA-wcc CA-wcc-services

Windows Stop command:
Go to Windows services and stop CA-wcc-services

Linux Start command:
- source Autosys environment:
unisrvcntr start CA-wcc CA-wcc-services

Windows start command:
Go to Windows services and start CA-wcc

PORT 5250 (EEM)

  1. Navigate to the IGW_LOC directory
  2. Edit the igateway.conf file
  3. Look for the <secureProtocol/> tag
  4. Make the following edit: <secureProtocol>TLSv1_2</secureProtocol>
  5. Save the file
  6. Restart the iGateway service

    Ciphers supported by EEM

Example from igateway.conf:

<secureProtocol>TLSv1_2</secureProtocol>
<cipherlist>-ALL:HIGH:MEDIUM:!RC4</cipherlist>

Example Path locations:
Linux:
/opt/CA/SharedComponents/iTechnology
Windows:
C:\Program Files\CA\SharedComponents\iTechnology

Command to stop and start iGateway
Linux Stop Command:
run as root
$IGW_LOC/S99igateway stop

Windows Stop Command:
Go to Windows services and stop CA iTechnology iGateway 


Linux Start Command:
run as root
$IGW_LOC/S99igateway start

Windows Start Command:
Go to Windows services and Start CA iTechnology iGateway

PORT 509 (CA Directory) 

TLSv1.2 is supported in EEM 12.6 for CA Directory
(This is because CALDAP which is used to communicate between iGateway and CA Directory does not support it in releases prior to 12.6)

  1. Navigate to the DXHOME/config/ssld directory
  2. Edit the itechpoz.dxc file
  3. Look for the protocol = tls parameter
  4. Make the following edit: protocol = tlsv12
  5. Save the file
  6. Restart the dxserver (itechpoz service)


The same cipherlist document above can be used.

Example from itechpoz.dxc:

#  
# eiam repository  
#  
set ssl = {  
cert-dir = "config/ssld/personalities"  
ca-file = "config/ssld/itechpoz-trusted.pem"  
cipher = "ALL:!EXPORT40:!ADH:!EXP:!LOW:!RC4:!SSLv3:!SSLv2"
protocol = tlsv12  
};

Example Path locations:
Linux:
/opt/CA/SharedComponents/Directory/dxserver/config\ssld
Windows:
C:\Program Files\CA\SharedComponents\Directory\dxserver\config\ssld

Command to stop and start CA Directory
Linux Stop Command:
su - dsa
cd /opt/CA/SharedComponents/CADirectory/dxserver/bin
./dxserver stop all

Windows Stop Command:
Go to Windows services and stop CA Directory - itechpoz

Linux Start Command:
su - dsa
cd /opt/CA/SharedComponents/CADirectory/dxserver/bin
./dxserver start all

Windows Start Command:
Go to Windows services and Start CA Directory - itechpoz

Additional Information


 

Powered by Wolken Software