Cipher Specification for Administration Ports

Question & Answer

Question

Is it possible to control the cipher specs used for TAM internal communication such as port 7135 for the Policy Server?

Cause

Default settings fail SSL audit scans due to availability of weak ciphers.

Answer

Ciphers settings for Policy Server port 7135, and other TAM components, can be controlled using the GSK_V3_CIPHER_SPECS environment variable..

For example,

pd_start stop
GSK_V3_CIPHER_SPECS="352F0A0405"
export GSK_V3_CIPHER_SPECS
pd_start start

This will allow,

35 TLS_RSA_WITH_AES_256_CBC_SHA (AES-256)
2F TLS_RSA_WITH_AES_128_CBC_SHA (AES-128)
0A Triple DES SHA US (DES-168)
04 RC4 MD5 US (RC4-128)
05 RC4 SHA US (RC4-128)

These are the allowed values for the ciphers,

00 - NULL NULL
01 - NULL MD5
02 - NULL SHA
03 - RC4 MD5 Export
04 - RC4 MD5 US
05 - RC4 SHA US
06 - RC2 MD5 Export
09 - DES SHA Export
62 - DES SHA Export1024
64 - RC4-56 SHA Export1024
0A - Triple DES SHA US
2F - TLS_RSA_WITH_AES_128_CBC_SHA
35 - TLS_RSA_WITH_AES_256_CBC_SHA

SSLv2 can be disabled by setting the following in ivmgrd.conf,

[ssl]
ssl-v2-enable = no

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Base","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0;6.1;6.1.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

TAMeB

Was this topic helpful?

Document Information

Modified date:
16 June 2018

UID

swg21636639

Tips