How to Disable TLS 1.0 in the CA API Gateway and Enterprise System Monitor ("ESM") Tools

Document ID : KB000010650
Last Modified Date : 26/10/2018
Show Technical Document Details
Introduction:

This how-to article describes the steps required to to disable usage of TLS v1.0 in CA API Gateway for improved compliance with PCI 3.1.

Background:

As per version 3.1 of PCI council DSS, SSL and TLS v1.0 are no longer acceptable after June 30, 2016 for PCI compliance. SSL and early TLS are not considered to be strong cryptography and cannot be used as a security control after June 30, 2016. The best response is to disable SSL entirely and migrate to a more modern encryption protocol, which at this time of publication is a minimum of TLS v1.1, although users are strongly encouraged to consider TLS v1.2.

Environment:
The provided solution was tested in a SSG 8.X & 9.X series nodes and ESM 1.13 monitoring enabled on all nodes.
Instructions:

The following instructions should be followed if TLS 1.0 needs to be disabled completely from the CA API Gateway and ESM components:

  1. Add -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 to Layer 7 Policy Manager.ini in your policy manager installation folder.
  2. Start Policy Manager and login to API Gateway using port 9443.
  3. Select Tasks > Manage Listen Ports.
  4. Select port 8443 (Default HTTPS) and click Properties.
  5. Select SSL/TLS Settings tab and leave only TLS v1.2 checked, then click OK.
  6. Similarly, select port 2124 (Node HTTPS 2124) and click Properties.
  7. Select SSL/TLS Settings tab and leave only TLS v1.2 checked, then click OK.
  8. Click close, and then click on Disconnect in Policy Manager to disconnect the session.
  9. Now connect to the Gateway via SSH, login as ssgconfig, then choose 3) Use a privileged shell (root).
  10. Modify the Enterprise Manager launch script accordingly, to add support for TLS v1.2: vi /opt/SecureSpan/EnterpriseManager/bin/enterprisemanager.sh
         EM_JAVA_OPTS="-XX:MaxPermSize=256m -Xmx512m -Djava.security.egd=file:/dev/./urandom -Dhttps.protocols=TLSv1.2"
  11. Modify the SecureSpan Process Controller launch script accordingly, to add support for TLS v1.2: vi /opt/SecureSpan/Controller/bin/processcontroller.sh
         PC_JAVAOPT="-Djava.security.egd=file:/dev/./urandom -Dhttps.protocols=TLSv1.2"
  12. Modify the Host Controller properties file accordingly, to add support for TLS v1.2: vi /opt/SecureSpan/Controller/etc/host.properties
         
    host.controller.sslProtocols=TLSv1.2
  13. Reboot the node. 
  14. Steps 9 through 13 should be performed on all cluster nodes.
  15. Start Policy Manager and login to API Gateway using port 8443.
  16. Select Tasks > Manage Listen Ports.
  17. Select port 9443 (Default HTTPS) and click Properties.
  18. Select SSL/TLS Settings tab and leave only TLS v1.2 checked, then click OK.