Harden your IBM
Disconnected Log Collector instance by modifying the cipher suite permissions in Java™.
About this task
A cipher suite is a set of algorithms that are used to secure a connection between
clients and servers by using the TLS or SSL protocols. During that handshake process, they agree
about which cipher suite to use to establish an HTTPS connection. After the cipher suite is agreed
upon, the client and server proceed with the key exchange and other connected parts.
Procedure
-
Open the IBM®
Java security file on your Disconnected Log
Collector instance at
/opt/ibm/java-x86_64-80/jre/lib/security/java.security.
- Locate the section that includes dk.tls.disabledAlgorithms to find
the list of restricted ciphers.
For example, this output shows a list of restricted ciphers that are separated by a comma
and a backward slash
(\):
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC
- Update the list of restricted ciphers by either listing a specific cipher suite or by
specifying standard names that correspond to a group of cipher suites. Separate them with a comma,
space, and backwards slash (, \).
The following list includes,
but is not limited to, examples of cipher suites that you can restrict:
- SSL_RSA_WITH_AES_128_CBC_SHA
- SSL_RSA_WITH_AES_256_CBC_SHA
- SSL_RSA_WITH_AES_128_CBC_SHA256
- SSL_RSA_WITH_AES_256_CBC_SHA256
- SSL_RSA_WITH_AES_128_GCM_SHA256
- SSL_RSA_WITH_AES_256_GCM_SHA384
- Save your changes and restart the Disconnected Log
Collector instance by using the following
command.