IBM Support

Disable RC4 for DataPower IBM Security Access Manager for DataPower Module

Flashes (Alerts)


Abstract

With the recent attention to RC4 “Bar Mitzvah” Attack for SSL/TLS, IBM recommends to disable RC4 in DataPower's ISAM Proxy Module.

Content


Upgrade the DataPower appliance firmware to version 7.1.0.5. Additionally, ensure RC4 ciphers are disabled in DataPower configuration referring to the steps below.

1. First, make sure you apply patches to your IBM Security Access Manager Appliance hosting the Policy Server.  These steps are described in the security bulletin CVE-2015-2808 (http://www-01.ibm.com/support/docview.wss?uid=swg21902389) for IBM Security Access Manager.

2. Next, make sure to Quiesce all domains and services to stop traffic to the appliance. System quiesce and unquiesce commands can be invoked by navigating to Administration --> Main --> System Control.

3. Next, for all domains where Security Access Manager objects are enabled, disable RC4 ciphers associated with Access Manager Runtime connection to LDAP.  Edit the ldap.conf as follows:

select Objects -> Security Access Manager -> Access Manager Runtime -> Manage Files -> Edit ldap.conf

Configure the following entries to use one or more of the ciphers listed in the tables at the end of this tech note. 

[ldap] 
ssl-tls-cipher-specs 
tls-v12-cipher-specs 

Note: Ensure that you remove any references to the following cipher numbers - 
01 02 03 04 05 06 09 62 64 

[uraf-registry] 
ssl-tls-cipher-specs 
tls-v12-cipher-specs 


Note: Ensure that you remove any references to the following ciphers: 
TLS_RSA_WITH_RC4_128_SHA 
TLS_RSA_WITH_RC4_128_MD5 
TLS_RSA_WITH_DES_CBC_SHA 
TLS_RSA_EXPORT_WITH_RC4_40_MD5 
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 
TLS_RSA_WITH_NULL_SHA 
TLS_RSA_WITH_NULL_MD5 
TLS_RSA_WITH_NULL_SHA256 
TLS_ECDHE_RSA_WITH_NULL_SHA 
TLS_ECDHE_ECDSA_WITH_NULL_SHA 

4. For all domains where Security Access Manager objects are enabled, disable RC4 ciphers associated with Access Manager Reverse Proxy instances.  Edit each reverse proxy webseal.conf file as follows:

select Objects -> Security Access Manager -> Access Manager Reverse Proxy -> Manage Files -> Edit Configuration File

Under the [ssl] stanza, remove all references to RC4 ciphers from both the gsk_attr_name and the jct_gsk_attr_name attributes: 

Long Name 
----------------------------------- 
TLS_RSA_WITH_RC4_128_SHA 
TLS_RSA_WITH_RC4_128_MD5 
TLS_RSA_WITH_DES_CBC_SHA 
TLS_RSA_EXPORT_WITH_RC4_40_MD5 
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 
TLS_RSA_WITH_NULL_SHA 
TLS_RSA_WITH_NULL_MD5 
TLS_RSA_WITH_NULL_SHA256 
TLS_ECDHE_RSA_WITH_NULL_SHA 
TLS_ECDHE_ECDSA_WITH_NULL_SHA 

Note - Any instance of the above ciphers should be removed. Configure your environment to use one or more of the ciphers listed in the tables at the end of this tech note. 

If the ssl-qop-mgmt attribute is set to “Yes” or "True", configure the default configuration entries in the [ssl-qop-mgmt-default] stanza to ensure that vulnerable ciphers are removed.

Note: Do not use a setting of 'ALL'. 

Ensure that the following ciphers are not present in the configured ciphers: 
default = RC4-40 
default = RC2-40 
default = DES-56 
default = DES-56-62 
default = RC4-56 
default = RC4-128 
default = RC2-128

If not already set, set the following attribute and values under the [ssl] stanza - 
gsk-attr-name = enum:471:0
jct-gsk-attr-name = enum:471:0

Note - If these attributes are already set to then this can remain in place. It should not have any affect for the mitigation plan.

You should verify applying this configuration change does not cause any compatibility issues. Not disabling the RC4 stream cipher will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the RC4 stream cipher and take appropriate mitigation and remediation actions.

Additional Information

The following ciphers remain valid:
For SSLv3, TLSv10, TLSv11

TLS_RSA_WITH_3DES_EDE_CBC_SHA0A
TLS_RSA_WITH_AES_128_CBC_SHA2F
TLS_RSA_WITH_AES_256_CBC_SHA35


For TLSv12

Long name
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

[{"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"7.1;7.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
25 September 2022

UID

swg21960889

Page Feedback