How to Disable Weak Ciphers in Dell Security Management Server and Virtual Server (2024)

Table of Contents
Affected Products: Dell Security Management Server Windows Secure Cipher Suites suggested inclusion list Jetty Weak Cipher Suites suggested Exclusion list Dell Security Management Server Virtual Jetty Weak Cipher Suites suggested Exclusion list. FAQs

Symptoms

Affected Products:

  • Dell Security Management Server
  • Dell Data Protection | Enterprise Edition
  • Dell Security Management Server Virtual
  • Dell Data Protection | Virtual Edition

Cause

Not Applicable

Resolution

  • Dell Security Management Server
  • Dell Security Management Server Virtual

During the initial Enterprise Edition install, after we have input the SQL hostname and database name, the following errors appear:

Dell Security Management Server

  • Disable RC4/DES/3DES cipher suites in Windows using registry, GPO, or local security settings.

    • You can do this using GPO or Local security policy under Computer configuration -> Administrative Templates -> Network -> SSL Configuration Settings -> SSL Cipher Suite Order.

    • Set this policy to enable. Each cipher suite should be separated with a comma. Remove as needed based on the list below.

      See Also
      myF5

    • To disable based on registry, reference this article:

  • Modify the Compliance Reporter settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Compliance Reporter\conf\eserver.properties

    • Set

eserver.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save;

  • Modify the Console Web Services settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Console Web Services\conf\eserver.properties

    Note: Starting in 9.2 the console web service is no longer present.

    • Set
eserver.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save

  • Modify the Device Server settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Device Server\conf\spring-jetty.xml

    • Update list in section to exclude the vulnerable cipher suites. List of suggested excluded cipher suites below.

    • Save

  • Modify the Security Server settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Security Server\conf\spring-jetty.xml

    • Update list in both sections to exclude the vulnerable cipher suites. List of suggested excluded cipher suites below.

    • Save

  • If Windows settings were changed, reboot back-end DDP|E server. If Windows settings were not changed, stop all DDP|E Windows services, and then start the services again.

  • Check for any stopped services.

  • Test new endpoint activation

  • Test Remote Management Console thick client (if TLSv1.0 is enabled in Windows).

  • Test Silverlight Console

Windows Secure Cipher Suites suggested inclusion list

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P521TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256TLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

Jetty Weak Cipher Suites suggested Exclusion list

<list><value>SSL_RSA_WITH_RC4_128_MD5</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value><value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_RSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_MD5</value><value>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</value></list>

Dell Security Management Server Virtual

  • Modify the Compliance Reporter settings to only allow modern cipher suites at this location: /opt/dell/server/reporter/conf/eserver.properties

    • Set

eserver.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save

  • Modify the Console Web Services settings to only allow modern cipher suites at this location: /opt/dell/server/console-web-services/conf/eserver.properties

    Note: Starting in 9.2 the console web service is no longer present.

    • Set
eserver.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

  • Save

  • Modify the Device Server settings to only allow modern cipher suites at this location: /opt/dell/server/security-server/conf/spring-jetty.xml
    • Update list in section to exclude the vulnerable cipher suites. List of suggested excluded cipher suites below.
    • Save
    • Modify the Security Server settings to only allow modern cipher suites at this location: /opt/dell/server/security-server/conf/spring-jetty.xml

      • Update list in both sections to exclude the vulnerable cipher suites. List of suggested excluded cipher suites below.

      • Save
      • Reboot the DDP | VE server.
      • Check for any stopped services.
      • Test new endpoint activation
      • Test Remote Management Console thick client (if TLSv1.0 is enabled in Windows).

Jetty Weak Cipher Suites suggested Exclusion list.

<list><value>SSL_RSA_WITH_RC4_128_MD5</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value><value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_RSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_MD5</value><value>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</value></list>

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

How to Disable Weak Ciphers in Dell Security Management Server and Virtual Server (2024)

FAQs

How do I disable weak ciphers on my server? ›

You can do this using GPO or Local security policy under Computer configuration -> Administrative Templates -> Network -> SSL Configuration Settings -> SSL Cipher Suite Order. Set this policy to enable. Each cipher suite should be separated with a comma. Remove as needed based on the list below.

Read On
How do I disable weak ciphers and algorithms? ›

Solution
  1. Log in to the instance using the ssh command.
  2. Switch to a root user using the sudo su - command.
  3. List the currently enabled ciphers by running the command sshd -T | grep -i 'cipher'.
  4. Copy the list and remove the unwanted ciphers. ...
  5. Make a backup of the file /etc/ssh/sshd_config by running the command:

Discover More Details
How to configure your web server to disallow using weak ciphers? ›

Configure the SSL cipher order preference- Version 17.1 and above
  1. In a text editor, open the following file: ...
  2. Locate the line starting with “server.ssl.follow-client-cipher-order”
  3. Remove the proceeding # sign to uncomment the lines and edit the list as needed.
  4. Change client to server. ...
  5. Save the file.
Jun 29, 2021

Continue Reading
How to disable weak ciphers in Java security? ›

Disabling Weak Cipher Suites Globally Through Java
  1. At a command prompt, access the java.security file: ...
  2. Open the java.security file and locate the following parameter: ...
  3. In this line, after =SSLv3 , add DES and DESede so that the line looks like this: ...
  4. Verify that weak cipher suites have been disabled.

See Details
How do I disable TLS 1.2 cipher suites? ›

The Disable-TlsCipherSuite cmdlet disables a cipher suite. This cmdlet removes the cipher suite from the list of Transport Layer Security (TLS) protocol cipher suites for the computer.

Find Out More
How do you disable a cipher? ›

In the Cipher Suites text box add the cipher suite or cipher to disable after any existing cipher suites by inserting a ":" colon followed by the cipher suite that is prefixed with a "!" exclamation point (example :! AES128-SHA). Click Update.

Tell Me More
How do I disable TLS 1.0 and 1.1 ciphers? ›

Method 1 : Disable TLS 1.0 and TLS 1.1 manually using Registry
  1. Open regedit utility. ...
  2. Create New Key. ...
  3. Rename the Registry Key 'TLS 1.0' ...
  4. Create One More Registry Key 'Client' underneath 'TLS 1.0' ...
  5. Create New Item 'DWORD (32-bit) Value' Underneath 'Client' ...
  6. Rename the Item 'DWORD (32-bit) Value' to 'Enable'

Show Me More
How do I remove weak ciphers from IIS? ›

Disable export ciphers, NULL ciphers, RC2 and RC4
  1. go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL and set DWORD value Enabled to 0 .
  2. go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 and set DWORD value Enabled to 0 .

Explore More
How do I disable RSA key exchange ciphers? ›

Disable RSA ciphers
  1. Open $IMPACT_HOME/sdk/jre/lib/security/java. security in a text editor.
  2. Locate the jdk.tls.disabledAlgorithms property. It should have some existing entries. ...
  3. Add each cipher you want to disable, separated by a comma. ...
  4. Save the changes to java. ...
  5. Restart the Impact server.

Continue Reading
What is weak ciphers enabled? ›

A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. Using an insufficient length for a key in an encryption/decryption algorithm opens up the possibility (or probability) that the encryption scheme could be broken (i.e. cracked).

Show Me More

How to disable TLS SSL server supports the use of static key ciphers? ›

In a TLS connection where (EC)DHE is not used, the key is exchanged using RSA, so the same symmetric key is used for the entire connection. In summary to disable ssl-static-key-ciphers, you will need to remove RSA from the httpd configuration.

Read The Full Story
What does weak ciphers enabled mean? ›

Weak cipher suites enabled. The server supports weak cipher suites for SSL/TLS connections. These cipher suites are currently considered broken and, depending on the specific cipher suite, offer poor or no security at all. Thus defeating the purpose of using a secure communication channel in the first place.

See Details
How to bypass Java security block? ›

Information
  1. Go to the Control Panel from the Start menu.
  2. Double-click on the Java icon to get the Java control panel dialog box.
  3. Navigate to the Security Tab.
  4. Click the 'Edit Site List' button.
  5. Click the Add button in the Exception Site List window.
  6. Click in the empty field under Location field to enter the URL.

Get More Info Here
How to disable CBC ciphers in Java? ›

Resolution
  1. Navigate to folder(or similar) C:\jdk1.8.0\jre\lib\security.
  2. Open java.security.
  3. edit the line that contains "jdk.tls.disabledAlgorithms"
  4. Merge these values to existing ones "SSLv3, DES, DESede, RC4, MD5withRCA"
  5. Restart ActiveMQ service and Web Server.
May 29, 2020

Continue Reading
How do I enable strong ciphers? ›

You can use the SSL Cipher Suite Order Group Policy settings to configure the default TLS cipher suite order.
  1. From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
  2. Double-click SSL Cipher Suite Order, and then click the Enabled option.
Jun 15, 2023

View More
How do I disable weak SSL ciphers in IIS? ›

go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL and set DWORD value Enabled to 0 . go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 and set DWORD value Enabled to 0 .

View Details
How do I change ciphers in Windows Server? ›

Using Windows utilities
  1. Connect to the server via RDP.
  2. Go to Start > Edit group policy.
  3. Go to Local Computer Policy > Computer Configuration > Administrative Template > Network > SSL Configuration Settings > SSL Cipher Suite Order.
  4. Set option Enabled.
  5. Edit SSL Cipher Suites in the line.
  6. Press OK to apply changes.

See More
Top Articles
HOW TO START A PASSIVE INCOME BUSINESS: 7 Fast Track Factors to earn $5,000-10,000/mo in the next 6 Months! • SassyZenGirl
A Beginner's Guide to Investing in Stocks
Latest Posts
Claims for compound interest in arbitral proceedings now sustainable
Residual Income: The Ultimate Guide - The Money Snowball
Article information

Author: Sen. Ignacio Ratke

Last Updated:

Views: 6067

Rating: 4.6 / 5 (76 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Sen. Ignacio Ratke

Birthday: 1999-05-27

Address: Apt. 171 8116 Bailey Via, Roberthaven, GA 58289

Phone: +2585395768220

Job: Lead Liaison

Hobby: Lockpicking, LARPing, Lego building, Lapidary, Macrame, Book restoration, Bodybuilding

Introduction: My name is Sen. Ignacio Ratke, I am a adventurous, zealous, outstanding, agreeable, precious, excited, gifted person who loves writing and wants to share my knowledge and understanding with you.