How to enable strong TLS/SSL cipher algorithms in RSA Identity Governance & Lifecycle

3 years ago

Originally Published: 2021-02-22

Article Number

000055595

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.2.1, 7.2.0, 7.1.1
Platform: WildFly/JBoss

Issue

The default cipher suites that are configured in RSA Identity Governance & Lifecycle using WildFly deployments can be changed to use only certain strong TLS/SSL cipher algorithms such as ECDHE.

Resolution

Follow the steps listed below to enable only the following TLS/SSL ECDHE-based ciphers in RSA Identity Governance & Lifecycle deployments using WildFly application server.

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

A) Standalone WildFly deployments:

Run the following two JBOSS CLI commands exactly as shown:

"${AVEKSA_HOME}"/wildfly/bin/jboss-cli.sh -c --command="/core-service=management/security-realm=AveksaAgentRealm/server-identity=ssl/:write-attribute(name=enabled-cipher-suites,value=["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"])"

"${AVEKSA_HOME}"/wildfly/bin/jboss-cli.sh -c --command="/core-service=management/security-realm=AveksaRealm/server-identity=ssl/:write-attribute(name=enabled-cipher-suites,value=["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"])"

Copied below is an example of the above commands that are run in a test environment and their output:

oracle@acm:~> "${AVEKSA_HOME}"/wildfly/bin/jboss-cli.sh -c --command="/core-service=management/security-realm=AveksaAgentRealm/server-identity=ssl/:write-attribute(name=enabled-cipher-suites,value=["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"])"
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}

oracle@acm:~> "${AVEKSA_HOME}"/wildfly/bin/jboss-cli.sh -c --command="/core-service=management/security-realm=AveksaRealm/server-identity=ssl/:write-attribute(name=enabled-cipher-suites,value=["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"])"
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}

Restart the application server for the changes to take effect:
```
service aveksa_server stop
service aveksa_server start
```

B) Clustered WildFly deployments:

Login to the RSA Identity Governance & Lifecycle Domain Controller host as an oracle user.
Note that the JBOSS CLI commands provided below only need to be run on the Domain Controller host.
Change the current working directory to <AVEKSA_HOME>/wildfly/bin, for example:
```
cd /home/oracle/wildfly/bin
```
Connect to the JBOSS CLI using the following command (replace <domain-controller-ip-address> with the actual IP address):
```
./jboss-cli.sh -c --controller=<domain-controller-ip-address>
```

At the JBOSS CLI command prompt, issue the following two commands:

/profile=full-ha/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=enabled-cipher-suites,value="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")

/profile=full-ha/subsystem=undertow/server=default-server/https-listener=agent-ssl:write-attribute(name=enabled-cipher-suites,value="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")

For each of the commands that are run above, you should receive a response that starts with “outcome” => “success”.
Type the following command at the JBOSS CLI prompt to exit the CLI:
```
exit
```

Copied below is an example of the above commands that are run in a test environment and their output:

vm-adbp-69:/home/oracle/wildfly/bin # ./jboss-cli.sh -c --controller=10.101.249.169

[domain@10.101.249.169:9990 /] /profile=full-ha/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=enabled-cipher-suites,value="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
{
"outcome" => "success",
"result" => undefined,
"server-groups" => {"img-server-group" => {"host" => {"master" => {"img-server-1" => {"response" => {
"outcome" => "success",
"response-headers" =>

{ "operation-requires-reload" => true, "process-state" => "reload-required" }
}}}}}}
}

[domain@10.101.249.169:9990 /] /profile=full-ha/subsystem=undertow/server=default-server/https-listener=agent-ssl:write-attribute(name=enabled-cipher-suites,value="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
{
"outcome" => "success",
"result" => undefined,
"server-groups" => {"img-server-group" => {"host" => {"master" => {"img-server-1" => {"response" =>

{ "outcome" => "success", "response-headers" =>

{"process-state" => "reload-required"}
}}}}}}
}

[domain@10.101.249.169:9990 /] exit

Restart the RSA Identity Governance and Lifecycle application on all nodes of the cluster.

Don't see what you're looking for?

Related Articles

Trending Articles