How do I enable TLSv1.2 on ports 509, 5250 and 8443 and specify a cipherlist?

Document ID : KB000074517
Last Modified Date : 07/07/2018
Show Technical Document Details
Question:
How do I enable TLSv1.2 and disable TLSv1.X on ports 509, 5250, and 8443?

509 :  EEM (CA Directory, itechpoz)
5250: EEM GUI
8443:  CA WCC Tomcat port (the default for non-SSL is 8080; the default for SSL is 8443)
Environment:
CA Embedded Entitlements Manager r12.51 CR05 (12.51.5.24)
CA Workload Control Center r11.4+
Answer:
----------
PORT 8443 (WCC)
----------
1. Navigate to the CA_WCC_INSTALL_LOCATION/tomcat/conf directory
2. Edit the server.xml file
3. Look for the sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" parameter
4. Between the parentheses, remove everything except TLSv1.2
5. Save the file
6. Restart the WCC services

----------
PORT 5250 (EEM)
----------
1. Navigate to the IGW_LOC directory
2. Edit the igateway.conf file
3. Look for the <secureProtocol/> tag
4. Make the following edit: <secureProtocol>TLSv1_2</secureProtoco/>
5. Save the file
6. Restart the iGateway service

Ciphers supported by EEM: 
https://comm.support.ca.com/kb/ca-embedded-entitlements-manager-available-ciphers-for-the-new-cipherlist-tag/kb000046312 

Example from igateway.conf:
<secureProtocol>TLSv1_2</secureProtocol>
<cipherlist>-ALL:HIGH:MEDIUM:!RC4</cipherlist>

----------
PORT 509 (CA Directory) - TLSv1.2 is supported in EEM 12.6 for CA Directory
(This is because CALDAP which is used to communicate between iGateway and CA Directory does not support it in
releases prior to 12.6) 

----------
1. Navigate to the DXHOME/config/ssld directory
2. Edit the itechpoz.dxc file
3. Look for the protocol = tls parameter
4. Make the following edit: protocol = tlsv12
5. Save the file
6. Restart the dxserver (itechpoz service)

The same cipherlist document above can be used.
Example from itechpoz.dxc:

#  
# eiam repository  
#  
set ssl = {  
cert-dir = "config/ssld/personalities"  
ca-file = "config/ssld/itechpoz-trusted.pem"  
cipher=-ALL:HIGH:MEDIUM:!RC4  
protocol = tlsv12  
};  

 
Additional Information:
Cipher Strings and what they include are in the OpenSSL doc below:
https://www.openssl.org/docs/man1.0.2/apps/ciphers.html