When attempting to launch the RSA Identity Governance and Lifecycle UI the browser shows a "page can't be displayed" error due to outdated ciphers.
Originally Published: 2016-11-15
Article Number
Applies To
RSA Version/Condition: 4.2.x
Platform: All supported platforms.
Issue
This page can't be displayed
- The connection fails because of outdated ciphers.
- The error happens with the following browsers:
- Internet Explorer 11.0.36
- Chrome 54.0.2840.71 m (64-bit)
Cause
Cipher suites are various cryptographic algorithms that SSL, TLS, and HTTPS use to establish connections. Usually, browsers send a list of all the ciphers they support and the server checks among their supported list and chooses based on whats available.
Resolution
To resolve this issue, the cipher from /home/oracle/jboss/server/default/deploy/jboss-web.deployer/server.xml file. needs to be removed.
- Log on to the appliance from the SSH console using the root user.
- Navigate to /home/oracle/jboss/server/default/deploy/jboss-web.deployer/
- Take a backup of the /home/oracle/jboss/server/default/deploy/jboss-web.deployer/server.xml.
[root@server ~]# cd /home/oracle/jboss/server/default/deploy/jboss-web.deployer/ [root@server :~/jboss/server/default/deploy/jboss-web.deployer>]# cp -p server.xml server.xml_original
- Open and edit the server.xml file with a text editor, such as vi:
[root@server :~/jboss/server/default/deploy/jboss-web.deployer>]# vi server.xml
- The server.xml file, before editing, contains the following cipher suites:
keystorePass="Av3k5a15num83r0n3" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_FORTEZZA_KEA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_DSS_WITH_RC4_128_SHA,SSL_CK_RC4_128_WITH_MD5,SSL_CK_RC4_128_EXPORT40_WITH_MD5,SSL_CK_RC2_128_CBC_WITH_MD5,SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,SSL_CK_IDEA_128_CBC_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5"/>
- While inside the file and in Insert mode, search the .xml for the word ciphers by pressing Esc then either / or ? followed by the word ciphers, as below:
/ciphers
- Remove the ciphers= line listed above in step 5.
- Save the file, pressing Esc then :wq.
:wq
- Verify the change by executing the following command. After the edit above, the prompt should come back with no output.
[root@server :~/jboss/server/default/deploy/jboss-web.deployer> grep -i "Ciphers" server.xml [root@server :~/jboss/server/default/deploy/jboss-web.deployer>
- Restart acm:
acm stop acm start
- Launch the browser, go to the Identity Governance and Lifecycle UI and verify that it is now accessible.
Notes
NOTE: This issue was noticed in version 4.2, which is outdated.
The cipher "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" is in the list of pre-configured ciphers before version 6.5.
From version 6.5, The RSA Identity Governance and Lifecycle appliance is configured with the following two ciphers for SSL:
- l TLS_RSA_WITH_AES_128_CBC_SHA
- l TLS_RSA_WITH_AES_256_CBC_SHA
