WebSEAL: Disabling SSLV2 and Weak Ciphers
Disabling SSLv2 and Weak encryption ciphers in webseal is surprisingly quick and easy. This post assumes you are running Tivoli Access Manager for eBusiness v 4.1 or higher. To achieve PCI Compliance on your webseal servers, a few common items that you need to take care of to be considered PCI compliant is dropping support for SSLv2 and disabling what are commonly known as "weak ciphers". A weak cipher is considered to be any encryption cipher that can be used to establish a secure channel between client and server using less than 128-bits encryption.
Much like the apache webserver, webseal uses a main configuration file for all server-specific items. Back up your main instances configuration file, which is typically located by default in /opt/pdweb/etc/ on your webseal servers. If you only have one instance and you did not give it a fancy name when you created it, the file will be called "webseald.conf". If you gave it a name like "instance1", your main configuration file will be known as "webseald-instance1.conf".
Disabling SSLv2 in webseald.conf is simply a matter of locating the
Simply set the disable-ssl-v2 property to "yes", restart the webseald process and SSLv2 is disabled.
Disabling weak encryption ciphers is not all that much more difficult. Locate the
You will want to change these values so that ssl-qop-mgmt is enabled and you will specify which encryption ciphers you want to be allowed on the site. Changes should look similar to the following:
Restart webseald and that's it. SSLv2, Null and Weak Ciphers are now disabled.
Much like the apache webserver, webseal uses a main configuration file for all server-specific items. Back up your main instances configuration file, which is typically located by default in /opt/pdweb/etc/ on your webseal servers. If you only have one instance and you did not give it a fancy name when you created it, the file will be called "webseald.conf". If you gave it a name like "instance1", your main configuration file will be known as "webseald-instance1.conf".
Disabling SSLv2 in webseald.conf is simply a matter of locating the
[ssl] stanza. There is a list of entries in this stanza that appears as follows by default: disable-ssl-v2 = no
disable-ssl-v3 = no
disable-tls-v1 = no
Simply set the disable-ssl-v2 property to "yes", restart the webseald process and SSLv2 is disabled.
Disabling weak encryption ciphers is not all that much more difficult. Locate the
[ssl qop] (ssl quality of protection) stanza within the same file. There are a few values that you will need to change to disable weak ciphers. The default values for ssl-qop-mgmt and ssl-qop-mgmt-default are below:# Enable/Disable SSL Quality of Protection management
ssl-qop-mgmt = no
...
# default ssl qop
[ssl-qop-mgmt-default]
default = ALL
You will want to change these values so that ssl-qop-mgmt is enabled and you will specify which encryption ciphers you want to be allowed on the site. Changes should look similar to the following:
# Enable/Disable SSL Quality of Protection management
ssl-qop-mgmt = yes
...
# default ssl qop
[ssl-qop-mgmt-default]
default = DES-168
default = RC2-128
default = RC4-128
default = AES-128
default = AES-256
# only enable if you need FIPS processing support
#default = FIPS-DES-168
Restart webseald and that's it. SSLv2, Null and Weak Ciphers are now disabled.
