Knowledgebase:
Adding Java Cipher Suite Parameters to Central Deployments
Posted by Aly Essa on 02 November 2018 10:34 AM

Overview

With the release of FileCatalyst Central v3.7.3, we have added the ability to add and customize the Java Cipher Suite usage. This article will outline the steps needed to use custom Java Ciphers in Central.

If you have upgraded from an older version of Central (<v3.7.2) you will not see these settings in the configuration file. You will need to use this guide to add them to your configuration file.

Environment

FileCatalyst Central v3.7.3

Resolution

The default cipher settings are available in the maconfig.default file located in the installation directory of FileCatalyst Central. To add these settings to your existing configuration file use the following steps:

i) Shutdown the FileCatalyst Central service.
ii) Create a backup of the maconfig.conf file before modifying it. Once the back up is completed, open the maconfig.conf file in a text editor.
iii) Scroll to the bottom of the file and add the following settings to it:

## SSL Cipher restriction
# By default, accepted SSL ciphers are specified as part of the standard Java JRE.
# These can be modified to exclude less secure ciphers.
FCMonitoringAgent.config.ssl.restrict.ciphers=false

# If the restrict.cipher == true, you must supply a list of acceptable ciphers
# the application can utilize when opening up SSL server sockets.
# Below are standard ciphers found in SUN Java JRD 1.6.0_12
#FCMonitoringAgent.config.ssl.allowed.ciphers.00=SSL_RSA_WITH_RC4_128_MD5
#FCMonitoringAgent.config.ssl.allowed.ciphers.01=SSL_RSA_WITH_RC4_128_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.02=TLS_RSA_WITH_AES_128_CBC_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.03=TLS_DHE_RSA_WITH_AES_128_CBC_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.04=TLS_DHE_DSS_WITH_AES_128_CBC_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.05=SSL_RSA_WITH_3DES_EDE_CBC_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.06=SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.07=SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.08=SSL_RSA_WITH_DES_CBC_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.09=SSL_DHE_RSA_WITH_DES_CBC_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.10=SSL_DHE_DSS_WITH_DES_CBC_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.11=SSL_RSA_EXPORT_WITH_RC4_40_MD5
#FCMonitoringAgent.config.ssl.allowed.ciphers.12=SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.13=SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
#FCMonitoringAgent.config.ssl.allowed.ciphers.14=SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

iv) If you have a set of ciphers that you need to use please check that they are available in the current version of Java Cipher Suites. Please note that some Ciphers require a specific TLS version to be enabled. You will need to toggle those settings as well in the same configuration file. Search for the following parameters and change the ones that apply to your installation:

FCMonitoringAgent.config.deployment.security.defaultTransport=TLSv1
FCMonitoringAgent.config.deployment.security.SSLv2Hello=true
FCMonitoringAgent.config.deployment.security.SSLv3=false
FCMonitoringAgent.config.deployment.security.TLSv1=true
FCMonitoringAgent.config.deployment.security.TLSv1.1=false
FCMonitoringAgent.config.deployment.security.TLSv1.2=true

v) Change the parameter FCMonitoringAgent.config.ssl.restrict.ciphers to true

vi) Add your ciphers to the list incrementing them from .00 upward and uncommenting the parameter. Here is an example:

FCMonitoringAgent.config.ssl.allowed.ciphers.00=NAME_OF_CIPHER_ONE
FCMonitoringAgent.config.ssl.allowed.ciphers.01=NAME_OF_CIPHER_TWO
FCMonitoringAgent.config.ssl.allowed.ciphers.02=NAME_OF_CIPHER_THREE
FCMonitoringAgent.config.ssl.allowed.ciphers.03=NAME_OF_CIPHER_FOUR

vii) Once the modifications to your Central configuration file are complete save it and start the Central service.


Comments (0)