How to disable SSLv2 as well as weak SSL ciphers In Provisioning and C++ servers

Document ID : KB000019483
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

In accordance with PCI compliance policies, only 128 bit encryption or higher is allowed.

It's been detected that C++ Connector & Provisioning Servers allow SSLv2 protocol as well as weak SSL ciphers.

Client wants to disable SSLv2 as well as weak SSL ciphers.

Solution:

To allow only ciphers using greater than 128-bit encryption (HIGH) & ciphers with 128-bit encryption (MEDIUM), disable all SSL version 2.0 ciphers (-SSLv2) (lower than 128 bit)

Add the TLSCipherSuite directories into:
<Provisioning Server Home>\data\im_ccs.conf and
<Provisioning Server Home>\data\im_ps.conf files,
as following:


# TLS server configuration data
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCertificateFile      "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\server\\eta2_servercert.pem"
TLSCertificateKeyFile   "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\server\\eta2_serverkey.pem"
TLSCACertificateFile    "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\et2_cacert.pem"
TLSRandomFile           "C:\\Program Files (x86)\\CA\\Identity Manager\\
 Provisioning Server\\data\\tls\\prng_seed"