000030857 - How to disable weaker DHE cipher modes (Logjam) in RSA DLP?

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000030857
Applies ToRSA Product Set: RSA Data Loss Prevention
RSA Product/Service Type: RSA Data Loss Prevention
RSA Version/Condition: 9.5.x, 9.6.x
Platform: Linux - CentOS 6.x x64

 
OSLinux (x64) - CentOS 6.x
CVE IDCVE-2015-4000
Scanning Tool and VersionN/A
Article SummaryHow to apply the fix for Logjam TLS vulnerability (Weaker ciphers only) of RSA DLP 9.5 and 9.6 Network Appliances and Enterprise Manager?
Link to Advisorieshttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000
Technical Details ExplanationThere are 2 set of steps to disable weak DHE ciphers. The first set applies to the Enterprise Manager system, and the second set applies to the Network Appliance systems. You would need to apply both set of steps to complete the configurations

Section 1: Steps to disable weak DHE cipher on the Enterprise Manager system:
1. Stop RSA DLP Enterprise Manager Service from the Service Console (services.msc).

2. Use windows explorer to navigate to the Enterprise Manager Installation directory, then to the to etc folder. (eg: C:\Program Files (x86)\RSA\Enterprise Manager\etc)

3. Locate the tem-jetty.xml file and use notepad to open the file.
4. Search for the addconnector sections that is used to listen to port 443. The start of the section will be as follow:

 <Call name="addConnector">
      <Arg>
        <New class="org.mortbay.jetty.security.SslSocketConnector">
      <Set name="Port">443</Set>

.....


5. Locate the element ExcludeCipherSuites within the addconnector section

6. Add new Item TLS_DHE_RSA_WITH_AES_128_CBC_SHA to the element. Add it to the front with rest of the cipher items. Sample code will be as follow

<Set name="ExcludeCipherSuites">
          <Array type="java.lang.String">
                  <Item>
TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>                 
                  <Item>SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                  <Item>SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                  <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                  ...
          </Array>


7. Navigate to addConnector section for port 9143, and locate the ExcludeCipherSuites element

8. Repeat step 6 on this element.

9. Save tem-jetty.xml

10. Use services.msc to start RSA DLP Enterprise Manager Service.

Section 2: Steps to disable weak DHE cipher on RSA DLP Network Appliances:
1. Using putty, login to the network controller as tablus user.

2. Exit the tabmenu into shell by selecting 6 (Advanced) -> 1 (Exit to Shell). Press Enter each time enter the selection
3. On the shell, type in the command:
tabservice stop. This will stop the DLP services

3. Type in the command:
mv /opt/tablus/config/ssl/dh1024.pem /opt/tablus/config/ssl/dh1024.pem.backup. This will take a backup of the file /opt/tablus/config/ssl/dh1024.pem as dh1024.pem.backup

4. Type in the command:
openssl dhparam -check -text -5 2048 -out /opt/tablus/config/ssl/dh1024.pem

5. Use vi to open the file /opt/tablus/config/ssl/pc-initssl.sh. Sample command will be: vi /opt/tablus/config/ssl/pc-initssl.sh.
and
a. Locate the line
openssl dhparam -check -text -5 1024 -out dh1024.pem
b. Modify the line to openssl dhparam -check -text -5 2048 -out dh1024.pem
c. Save the changes and quit vi
6. Repeat step 5 with the file /opt/tablus/bin/initssl.sh
7. Type in the command:
tabservice start .This will start the "DLP Services"
8.
Repeat step 1 to step 6 for each of the network appliance

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Corporation distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes