« Extended Validation SSL Certificates: An Easy Way to Bust the Green Bar | Main | Apache Tomcat 4.1.39 Stable Released »


WebSEAL: Disabling SSLV2 and Weak Ciphers

Disabling SSLv2 and Weak encryption ciphers in webseal is surprisingly quick and easy. This post assumes you are running Tivoli Access Manager for eBusiness v 4.1 or higher. To achieve PCI Compliance on your webseal servers, a few common items that you need to take care of to be considered PCI compliant is dropping support for SSLv2 and disabling what are commonly known as "weak ciphers". A weak cipher is considered to be any encryption cipher that can be used to establish a secure channel between client and server using less than 128-bits encryption.

Much like the apache webserver, webseal uses a main configuration file for all server-specific items. Back up your main instances configuration file, which is typically located by default in /opt/pdweb/etc/ on your webseal servers. If you only have one instance and you did not give it a fancy name when you created it, the file will be called "webseald.conf". If you gave it a name like "instance1", your main configuration file will be known as "webseald-instance1.conf".

Disabling SSLv2 in webseald.conf is simply a matter of locating the [ssl] stanza. There is a list of entries in this stanza that appears as follows by default:

  disable-ssl-v2 = no 
  disable-ssl-v3 = no
  disable-tls-v1 = no

Simply set the disable-ssl-v2 property to "yes", restart the webseald process and SSLv2 is disabled.

Disabling weak encryption ciphers is not all that much more difficult. Locate the [ssl qop] (ssl quality of protection) stanza within the same file. There are a few values that you will need to change to disable weak ciphers. The default values for ssl-qop-mgmt and ssl-qop-mgmt-default are below:

# Enable/Disable SSL Quality of Protection management
ssl-qop-mgmt = no


# default ssl qop
default = ALL

You will want to change these values so that ssl-qop-mgmt is enabled and you will specify which encryption ciphers you want to be allowed on the site. Changes should look similar to the following:

# Enable/Disable SSL Quality of Protection management
ssl-qop-mgmt = yes


# default ssl qop
default = DES-168
default = RC2-128
default = RC4-128
default = AES-128
default = AES-256
# only enable if you need FIPS processing support
#default = FIPS-DES-168

Restart webseald and that's it. SSLv2, Null and Weak Ciphers are now disabled.


TrackBack URL for this entry:

Listed below are links to weblogs that reference WebSEAL: Disabling SSLV2 and Weak Ciphers: