How to restrict CA Privileged Identity Manager Message Queue (Tibco) SSL ciphers.

Document ID : KB000047642
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

sslscan of port 7243 shows vulnerable ciphers

Environment:  

Enterprise Manager 12.8+

Tibco 8.2.2

Instructions: 

You can update which ciphers CA Privileged Identity Manager Message Queue (Tibco) to be more secure and disable unwanted ones. 

Edit the tibemsd.conf file on ALL management servers and edit tokens as follows

ssl_server_ciphers = !RC4-MD5:!RC4-SHA:!DES-CBC-SHA:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EDH-DSS-DES-CBC-SHA:!EDH-RSA-DES-CBC-SHA:!EXP-EDH-DSS-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EDH-RSA-DES-CBC-SHA:!DES-CBC-SHA:!EDH-RSA-DES-CBC-SHA:!DES-CBC-SHA:ALL 

ssl_dh_size = 2048 

Additional Information:

Tibco patch to 8.2.2 is required for these settings to work correctly. This patch is only provided by a Support case. You can verify your version by running the Start EMS Administration Tool (tibemsadmin) which will show you the version in the copyright.