You can specify a list of cipher suites as an alternative to the RC4 algorithm used for TLS communication. The RC4 algorithm is a weaker cipher and vulnerable to attacks. If you want to disable the RC4 algorithm from domain managers, you can use a cipher suite list.
A cipher suite is a suite of cryptographic algorithms used to provide encryption, integrity and authentication. Cipher suite lists and the SM_TLS_SUITE_LIST environment variable are described in Communication protocols overview. Security Advisory “ESA-2016-115” provides more information about the fixed vulnerabilities for the RC4 algorithm.
Introduced with the 9.4.2 release, this feature is supported for the following products: SAM, IP Manager, and ESM. It is not supported for EMC M&R. If your deployment includes NCM, consult the Network Configuration Manager Security Configuration Guide for information about using ciphers.
To disable the RC4 algorithm and specify a cipher suite list, follow this procedure.
Procedure
- For each Manager and SAM Global Console, add the SM_TLS_SUITE_LIST environment variable to the runcmd_env.sh file.
- Go to the <BASEDIR>/smarts/bin directory and enter this command to open the runcmd_env.sh file:
sm_edit local/conf/runcmd_env.sh
- Add the SM_TLS_SUITE_LIST variable and specify one or more cipher suites. Use a colon (:) to separate multiple cipher suites. For example:
SM_TLS_SUITE_LIST=AES256-GCM-SHA-384
In this example, two cipher suites are listed:SM_TLS_SUITE_LIST=AES256-GCM-SHA-384:AES128-GCM-SHA256
- Save and close the file.
- Restart the Manager.
- Go to the <BASEDIR>/smarts/bin directory and enter this command to open the runcmd_env.sh file:
- For each SAM Global Console, perform these steps to allow the console to communicate with the Broker:
- Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 from the Oracle website.
- Extract the local_policy.jar and US_export_policy.jar files from the downloaded zip file into a temporary directory.
- Go to the <BASEDIR>/smarts/jre/lib/security directory and then back up the existing policy files in this directory.
- Overwrite the local_policy.jar and US_export_policy.jar files in the <BASEDIR>/smarts/jre/lib/security directory.
- Restart the SAM Console Tomcat server and Global Consoles (sm_gui applications) for the changes to take effect.