How to remove RC4 vulnerability within EEM.

Document ID : KB000038960
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

Security scan shows that EEM is allowing SSL/TLS and RC4 communication.

  • SSL Server supports Weak Encryption Vulnerability.
  • SSL/TLS use of weak RC4 cipher. 

Port 509 is used for communication between EEM Server and CA Directory. 

The default cipher suite for CA Directory allows RC4.

Question: 

How can I remove RC4 vulnerability from the configuration?

Environment:  

CA EEM 12.x on Windows/Unix/Linux platforms.

Answer: 

1. You must modify file "itechpoz.dxc" located in

  • Windows:     %DXHOME%\config\ssld directory
  • Unix/Linux:   $DXHOME/config/ssld directory 

2. Add the following parameter in itechpoz.dxc to disable the RC4 cipher suites.

cipher = "ALL:!ADH:!DES:!LOW:!EXPORT40:!RC4" 

 

The itechpoz.dxc would look this after adding the above parameter: 

set ssl = { 

cert-dir = "config/ssld/personalities" 

ca-file = "config/ssld/itechpoz-trusted.pem" 

cipher = "ALL:!ADH:!DES:!LOW:!EXPORT40:!RC4" 

protocol = tls 

}; 

 

3. Recycle dxserver.

  • Windows
    • dxserver stop all
    • dxserver start all
  •  Unix/Linux
    • su - dsa -c "dxserver stop all"
    • su - dsa -c "dxserver start all"

 

Additional Information:

You can check following link to understand the syntax of the cypher string ("ALL:!ADH:!DES:!LOW:!EXPORT40:!RC4")

http://www.openssl.org/docs/apps/ciphers.html