|Applies To||RSA Key Manager Server 2.7 SP1|
Tomcat Application Server
Redhat Linux 5.1
|Issue||Can RKM be configured to limit algorithms supported ?|
Question in regards to the supported algorithms of the RSA RKM Need to know if there is any way to restrict or refuse insecure or deprecated algorithms such as RC2, RC4, etc?
There are supported algorithms that are weak and do not want them to be used such as RC4, RC5, DES? etc
To restrict the cipher suites accepted by the web server that sits in front of Tomcat and RKM, those are controlled by the SSLCipherSuite declaration in the Apache configuration files.
The specifics of setting that variable can be found in the Apache httpd documentation here:
Adjusting the configuration on the server will ensure that connections are made with approved/desired cipher suites only, regardless of what a connecting client advertises it supports.
This is for the latest RKM appliance version. You can test setting that string in your environment to match what the appliance is accepting.
For algorithms associated with keys stored on the server, configure this via the server administration GUI to specify algorithm information in a crypto policy and associate that policy with key classes.
For algorithms that the RKM client supports. If you do not want those algorithms used, the solution is for the client application not to use them and to ensure that they keys are associated with the correct crypto policy.
In summary, outside of the SSL/TLS configuration, the algorithms used by the system is determined by the configuration. If you choose to use them, then they will be used. If you choose not to use them, then they won't be used.
|Legacy Article ID||a54542|