000026251 - Can RKM be configured to limit algorithms supported ?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026251
Applies ToRSA Key Manager Server 2.7 SP1
Apache Webserver
Tomcat Application Server
Redhat Linux 5.1
IssueCan RKM be configured to limit algorithms supported ?

Question in regards to the supported algorithms of the RSA RKM Need to know if there is any way to restrict or refuse insecure or deprecated algorithms such as RC2, RC4, etc?


 

There are supported algorithms that are weak and do not want them to be used such as RC4, RC5, DES? etc

Resolution

To restrict the cipher suites accepted by the web server that sits in front of Tomcat and RKM, those are controlled by the SSLCipherSuite declaration in the Apache configuration files.


 


The specifics of setting that variable can be found in the Apache httpd documentation here: 


                http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite


 


Adjusting the configuration on the server will ensure that connections are made with approved/desired cipher suites only, regardless of what a connecting client advertises it supports.
For reference, the following is the SSLCipherSuite configuration from a RKM appliance 2.7SP1 system:


 


SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH+MEDIUM


 


This is for the latest RKM appliance version.  You can test setting that string in your environment to match what the appliance is accepting.


 


 For algorithms associated with keys stored on the server, configure this via the server administration GUI to specify algorithm information in a crypto policy and associate that policy with key classes.


 


For algorithms that the RKM client supports.  If you do not want those algorithms used, the solution is for the client application not to use them and to ensure that they keys are associated with the correct crypto policy.


 


In summary, outside of the SSL/TLS configuration, the algorithms used by the system is determined by the configuration.  If you choose to use them, then they will be used.  If you choose not to use them, then they won't be used.

Legacy Article IDa54542

Attachments

    Outcomes