How to disable weaker DHE cipher modes (Logjam) in RSA DLP?
Originally Published: 2015-08-03
Article Number
Applies To
RSA Product/Service Type: RSA Data Loss Prevention
RSA Version/Condition: 9.5.x, 9.6.x
Platform: Linux - CentOS 6.x x64
CVE Identifier(s)
Article Summary
Link to Advisories
Scanning Tool and Version
Operating System
Alert Impact Explanation
Section 1: Steps to disable weak DHE cipher on the Enterprise Manager system:
1. Stop RSA DLP Enterprise Manager Service from the Service Console (services.msc).
2. Use windows explorer to navigate to the Enterprise Manager Installation directory, then to the to etc folder. (eg: C:\Program Files (x86)\RSA\Enterprise Manager\etc)
3. Locate the tem-jetty.xml file and use notepad to open the file.
4. Search for the addconnector sections that is used to listen to port 443. The start of the section will be as follow:
<Call name="addConnector">
<Arg>
<New class="org.mortbay.jetty.security.SslSocketConnector">
<Set name="Port">443</Set>
.....
5. Locate the element ExcludeCipherSuites within the addconnector section
6. Add new Item TLS_DHE_RSA_WITH_AES_128_CBC_SHA to the element. Add it to the front with rest of the cipher items. Sample code will be as follow
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
<Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
...
</Array>
7. Navigate to addConnector section for port 9143, and locate the ExcludeCipherSuites element
8. Repeat step 6 on this element.
9. Save tem-jetty.xml
10. Use services.msc to start RSA DLP Enterprise Manager Service.
Section 2: Steps to disable weak DHE cipher on RSA DLP Network Appliances:
1. Using putty, login to the network controller as tablus user.
2. Exit the tabmenu into shell by selecting 6 (Advanced) -> 1 (Exit to Shell). Press Enter each time enter the selection
3. On the shell, type in the command: tabservice stop. This will stop the DLP services
3. Type in the command: mv /opt/tablus/config/ssl/dh1024.pem /opt/tablus/config/ssl/dh1024.pem.backup. This will take a backup of the file /opt/tablus/config/ssl/dh1024.pem as dh1024.pem.backup
4. Type in the command: openssl dhparam -check -text -5 2048 -out /opt/tablus/config/ssl/dh1024.pem
5. Use vi to open the file /opt/tablus/config/ssl/pc-initssl.sh. Sample command will be: vi /opt/tablus/config/ssl/pc-initssl.sh.
and
a. Locate the line openssl dhparam -check -text -5 1024 -out dh1024.pem
b. Modify the line to openssl dhparam -check -text -5 2048 -out dh1024.pem
c. Save the changes and quit vi
6. Repeat step 5 with the file /opt/tablus/bin/initssl.sh
7. Type in the command: tabservice start .This will start the "DLP Services"
8. Repeat step 1 to step 6 for each of the network appliance
Disclaimer
Related Articles
Key Manager Appliance - iDRAC 6 v2.90 - Multiple Weak Encryption Ciphers Enabled Number of Views How to enable strong TLS/SSL cipher algorithms in RSA Identity Governance & Lifecycle Number of Views Disabling weak ciphers using port 1813 in RSA Authentication Manager 8.3 patch 1 Number of Views Identity Management and Governance: No available certificate or key corresponds to the SSL cipher suites which are enabled. Number of Views Back-up failing after running network vulnerability scanner against Authentication Manager Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Troubleshooting AFX Connector issues in RSA Identity Governance & Lifecycle RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager Upgrade Process
Don't see what you're looking for?
