|Applies To||RSA Product Set: RSA Data Loss Prevention|
RSA Product/Service Type: RSA Data Loss Prevention
RSA Version/Condition: 9.5.x, 9.6.x
Platform: Linux - CentOS 6.x x64
|OS||Linux (x64) - CentOS 6.x|
|Scanning Tool and Version||N/A|
|Article Summary||How to apply the fix for Logjam TLS vulnerability (Weaker ciphers only) of RSA DLP 9.5 and 9.6 Network Appliances and Enterprise Manager?|
|Link to Advisories||https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000|
|Technical Details Explanation||There are 2 set of steps to disable weak DHE ciphers. The first set applies to the Enterprise Manager system, and the second set applies to the Network Appliance systems. You would need to apply both set of steps to complete the configurations|
Section 1: Steps to disable weak DHE cipher on the Enterprise Manager system:
1. Stop RSA DLP Enterprise Manager Service from the Service Console (services.msc).
2. Use windows explorer to navigate to the Enterprise Manager Installation directory, then to the to etc folder. (eg: C:\Program Files (x86)\RSA\Enterprise Manager\etc)
3. Locate the tem-jetty.xml file and use notepad to open the file.
4. Search for the addconnector sections that is used to listen to port 443. The start of the section will be as follow:
5. Locate the element ExcludeCipherSuites within the addconnector section
6. Add new Item TLS_DHE_RSA_WITH_AES_128_CBC_SHA to the element. Add it to the front with rest of the cipher items. Sample code will be as follow
7. Navigate to addConnector section for port 9143, and locate the ExcludeCipherSuites element
8. Repeat step 6 on this element.
9. Save tem-jetty.xml
10. Use services.msc to start RSA DLP Enterprise Manager Service.
Section 2: Steps to disable weak DHE cipher on RSA DLP Network Appliances:
1. Using putty, login to the network controller as tablus user.
2. Exit the tabmenu into shell by selecting 6 (Advanced) -> 1 (Exit to Shell). Press Enter each time enter the selection
3. On the shell, type in the command: tabservice stop. This will stop the DLP services
3. Type in the command: mv /opt/tablus/config/ssl/dh1024.pem /opt/tablus/config/ssl/dh1024.pem.backup. This will take a backup of the file /opt/tablus/config/ssl/dh1024.pem as dh1024.pem.backup
4. Type in the command: openssl dhparam -check -text -5 2048 -out /opt/tablus/config/ssl/dh1024.pem
5. Use vi to open the file /opt/tablus/config/ssl/pc-initssl.sh. Sample command will be: vi /opt/tablus/config/ssl/pc-initssl.sh.
a. Locate the line openssl dhparam -check -text -5 1024 -out dh1024.pem
b. Modify the line to openssl dhparam -check -text -5 2048 -out dh1024.pem
c. Save the changes and quit vi
6. Repeat step 5 with the file /opt/tablus/bin/initssl.sh
7. Type in the command: tabservice start .This will start the "DLP Services"
8. Repeat step 1 to step 6 for each of the network appliance
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Corporation distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.