Updating cipher suite permissions for Disconnected Log Collector

Harden your IBM Disconnected Log Collector instance by modifying the cipher suite permissions in Java™.

About this task

A cipher suite is a set of algorithms that are used to secure a connection between clients and servers by using the TLS or SSL protocols. During that handshake process, they agree about which cipher suite to use to establish an HTTPS connection. After the cipher suite is agreed upon, the client and server proceed with the key exchange and other connected parts.

Procedure

  1. Open the IBM® Java security file on your Disconnected Log Collector instance at /opt/ibm/java-x86_64-80/jre/lib/security/java.security.
  2. Locate the section that includes dk.tls.disabledAlgorithms to find the list of restricted ciphers.
    For example, this output shows a list of restricted ciphers that are separated by a comma and a backward slash (\):
    jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC
  3. Update the list of restricted ciphers by either listing a specific cipher suite or by specifying standard names that correspond to a group of cipher suites. Separate them with a comma, space, and backwards slash (, \).
    The following list includes, but is not limited to, examples of cipher suites that you can restrict:
    • SSL_RSA_WITH_AES_128_CBC_SHA
    • SSL_RSA_WITH_AES_256_CBC_SHA
    • SSL_RSA_WITH_AES_128_CBC_SHA256
    • SSL_RSA_WITH_AES_256_CBC_SHA256
    • SSL_RSA_WITH_AES_128_GCM_SHA256
    • SSL_RSA_WITH_AES_256_GCM_SHA384
  4. Save your changes and restart the Disconnected Log Collector instance by using the following command.
    systemctl restart dlc