You can specify a list of cipher suites as an alternative to the RC4 algorithm used for TLS communication. The RC4 algorithm is a weaker cipher and vulnerable to attacks. If you want to disable the RC4 algorithm from Smart Assurance, you can use a cipher suite list.
A cipher suite is a suite of cryptographic algorithms used to provide encryption, integrity and authentication. Cipher suite lists and the SM_TLS_SUITE_LIST environment variable are described in Communication protocols overview. Security Advisory “ESA-2016-115” provides more information about the fixed vulnerabilities for the RC4 algorithm.
Introduced with the 9.4.2 release, this feature is supported for the following Smart Assurance products: SAM, IP Manager, ESM, MPLS, NPM, OTM, VoIP AM, and the SAM Global Console. It is not supported for EMC M&R. If your deployment includes NCM, consult the VMware Smart Assurance Network Configuration Manager Security Configuration Guide for information about using ciphers.
To disable the RC4 algorithm and specify a cipher suite list, follow this procedure.
Procedure
- For each Manager and SAM Global Console, add the SM_TLS_SUITE_LIST environment variable to the runcmd_env.sh file.
- For each SAM Global Console, perform these steps to allow the console to communicate with the Broker:
- Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 from the Oracle website.
- Extract the local_policy.jar and US_export_policy.jar files from the downloaded zip file into a temporary directory.
- Go to the <BASEDIR>/smarts/jre/lib/security directory and then back up the existing policy files in this directory.
- Overwrite the local_policy.jar and US_export_policy.jar files in the <BASEDIR>/smarts/jre/lib/security directory.
- Restart the SAM Console Tomcat server and Global Consoles (sm_gui applications) for the changes to take effect.
