How to configure CipherSuite used for SA Server/Jetty Server
3 years ago
Originally Published: 2014-10-23
Article Number
000066236
Applies To
RSA Security Analytics 10.4 and below.
Issue
Sometimes customer may run a vulnerability scan which reports a weak cipher suite issue with SA web server, such as SSLv3 cipher suites. You would like to disable SSLv3 and lower version ciphers according to your security requirements.

The cipher suite is configurable via jetty configuration files.
Tasks
1. Edit jetty configuration file to assign cipher-suites used.
2. Restart jetty server to make change take effect
Resolution
1. Logon to SA server, verify home directory of your jettysrv service:
  
[root@saserver etc]# cat /etc/init/jettysrv.conf 
# start/stop/respawn jetty server
start on runlevel [3]
stop on runlevel [!3]
console none 
exec /opt/rsa/jetty9/bin/jetty.sh run
pre-start script
        if [ -d /var/lib/netwitness/jetty/uax ] && ! [ -d /var/lib/netwitness/uax/logs ]; then
                mkdir -p /var/lib/netwitness/uax/logs
        fi
end script
pre-stop script
if [[ `ps x | grep "/usr/bin/java.*-jar /opt/rsa/jetty9/start.jar"` ]]; then
        exec /opt/rsa/jetty9/bin/jetty.sh stop
fi
end script
respawn
respawn limit 10 5

    On above example, the jetty home directory is /opt/rsa/jetty9/

2. Goto the jetty home directory, find the ssl configuration file. (etc/jetty-ssl.xml)

3. By default, in the configuration contains cipher configuration entries: 
<Set name="ExcludeCipherSuites">
    <Array type="String">
      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    </Array>
  </Set>

  Those are ciphersuites that are not used by jetty server.
  To see a complete list of ciphers, consult this URL:
  http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

4. Make a backup of original xml file then modify cipher configuration section according to your requirement, you can either exclude more ciphers or use "<Set name="IncludeCipherSuites">" to only include ciphers configured here.

      Below is an example for include ciphers. (NOTE, if you need to include, remove the entire exclude section first.)
  
<Set name="IncludeCipherSuites">
        <Array type="java.lang.String">
          <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
          <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
          <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
          <Item>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</Item>
          <Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</Item>
          <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
        </Array>
      </Set>

     Another example for only disabling all the SSLv3 and lower cipher suites:
  
<Set name="ExcludeCipherSuites">
    <Array type="String">
      <Item>SSL_RSA_WITH_RC4_128_MD5</Item>
      <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
      <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
      <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_RSA_WITH_NULL_MD5</Item>
      <Item>SSL_RSA_WITH_NULL_SHA</Item>
      <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
      <Item>SSL_DH_anon_WITH_3DES_EDE_CBC_SHA</Item>
      <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
      <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA</Item>
    </Array>
  </Set>

5. Restart the jettysrve service with the following commands:
   restart jerttysrv
  or
   stop jettysrv followed by start jettysrv
 
Notes
References:

http://​http://wiki.eclipse.org/Jetty/Howto/CipherSuites

http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

Related Articles

Trending Articles

Don't see what you're looking for?