How to Disable Weak Ciphers in Dell Security Management Server and Virtual Server (2024)

Table of Contents
Affected Products: Dell Security Management Server Windows Secure Cipher Suites suggested inclusion list Jetty Weak Cipher Suites suggested Exclusion list Dell Security Management Server Virtual Jetty Weak Cipher Suites suggested Exclusion list. FAQs

Symptoms

Affected Products:

  • Dell Security Management Server
  • Dell Data Protection | Enterprise Edition
  • Dell Security Management Server Virtual
  • Dell Data Protection | Virtual Edition

Cause

Not Applicable

Resolution

  • Dell Security Management Server
  • Dell Security Management Server Virtual

During the initial Enterprise Edition install, after we have input the SQL hostname and database name, the following errors appear:

Dell Security Management Server

  • Disable RC4/DES/3DES cipher suites in Windows using registry, GPO, or local security settings.

  • Modify the Compliance Reporter settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Compliance Reporter\conf\eserver.properties

    • Set

eserver.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save;

  • Modify the Console Web Services settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Console Web Services\conf\eserver.properties

    Note: Starting in 9.2 the console web service is no longer present.

    • Set
eserver.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save

  • Modify the Device Server settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Device Server\conf\spring-jetty.xml

    • Update list in section to exclude the vulnerable cipher suites. List of suggested excluded cipher suites below.

    • Save

  • Modify the Security Server settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Security Server\conf\spring-jetty.xml

    • Update list in both sections to exclude the vulnerable cipher suites. List of suggested excluded cipher suites below.

    • Save

  • If Windows settings were changed, reboot back-end DDP|E server. If Windows settings were not changed, stop all DDP|E Windows services, and then start the services again.

  • Check for any stopped services.

  • Test new endpoint activation

  • Test Remote Management Console thick client (if TLSv1.0 is enabled in Windows).

  • Test Silverlight Console

Windows Secure Cipher Suites suggested inclusion list

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P521TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256TLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

Jetty Weak Cipher Suites suggested Exclusion list

<list><value>SSL_RSA_WITH_RC4_128_MD5</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value><value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_RSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_MD5</value><value>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</value></list>

Dell Security Management Server Virtual

  • Modify the Compliance Reporter settings to only allow modern cipher suites at this location: /opt/dell/server/reporter/conf/eserver.properties

    • Set

eserver.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save

  • Modify the Console Web Services settings to only allow modern cipher suites at this location: /opt/dell/server/console-web-services/conf/eserver.properties

    Note: Starting in 9.2 the console web service is no longer present.

    • Set
eserver.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

  • Save

  • Modify the Device Server settings to only allow modern cipher suites at this location: /opt/dell/server/security-server/conf/spring-jetty.xml
    • Update list in section to exclude the vulnerable cipher suites. List of suggested excluded cipher suites below.
    • Save
    • Modify the Security Server settings to only allow modern cipher suites at this location: /opt/dell/server/security-server/conf/spring-jetty.xml

      • Update list in both sections to exclude the vulnerable cipher suites. List of suggested excluded cipher suites below.

      • Save
      • Reboot the DDP | VE server.
      • Check for any stopped services.
      • Test new endpoint activation
      • Test Remote Management Console thick client (if TLSv1.0 is enabled in Windows).

Jetty Weak Cipher Suites suggested Exclusion list.

<list><value>SSL_RSA_WITH_RC4_128_MD5</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value><value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_RSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_MD5</value><value>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</value></list>

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

How to Disable Weak Ciphers in Dell Security Management Server and Virtual Server (2024)

FAQs

How do I disable weak ciphers on my server? ›

You can do this using GPO or Local security policy under Computer configuration -> Administrative Templates -> Network -> SSL Configuration Settings -> SSL Cipher Suite Order. Set this policy to enable. Each cipher suite should be separated with a comma. Remove as needed based on the list below.

Read On
How to disable weak ciphers in Java security? ›

Use jdk. tls. disabledAlgorithms parameter in javahome/jre/lib/security/java. security file to disable the weak ciphers.

Discover More Details
How do I disable TLS 1.2 cipher suites? ›

Disable TLS 1.2
  1. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000000.
  2. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000001.

Continue Reading
How do I disable weak ciphers in TLS 1.2 Apache? ›

In Apache httpd ciphers are set in SSLCipherSuite directive. Ciphers are delimited by space or by semicolon (what ever you choose). To disable ciphers you need to add "exclamation mark" in front of cipher.

See Details
How do you check what ciphers are enabled on server? ›

How to find the Cipher in Chrome
  1. Launch Chrome.
  2. Enter the URL you wish to check in the browser.
  3. Click on the ellipsis located on the top-right in the browser.
  4. Select More tools > Developer tools > Security.
  5. Look for the line "Connection...". This will describe the version of TLS or SSL used.
Mar 31, 2023

Find Out More
How do I disable TLS SSL server supports the use of static key ciphers? ›

Navigate to "Configuration - Security - Access" and select "Disabled" for "TLS v1. 0/1.1 connection allowed" to turn off TLS 1.0 and 1.1.

Tell Me More
How do you find weak ciphers? ›

How to do it...
  1. Open the terminal and launch the SSLScan tool, as shown in the following screenshot:
  2. To scan your target using SSLScan, run the following command: sslscan demo.testfire.net.
  3. SSLScan will test the SSL certificate for the all the ciphers it supports. Weak ciphers will be shown in red and yellow.

Show Me More
Why disable weak ciphers? ›

Disabling the weak ciphers on the server prevents a client from using a weak cipher that could be easily broken. There is a chance that a client that doesn't have any strong ciphers enabled will break but honestly this is a security issue that needs to be resolved anyway.

Explore More
Does TLS 1.2 use weak ciphers? ›

A cipher suite is identified as obsolete when one or more of the mechanisms is weak. Especially weak encryption algorithms in TLS 1.2 are designated as NULL, RC2, RC4, DES, IDEA, and TDES/3DES; cipher suites using these algorithms should not be used9.

Continue Reading
How to disable cipher suites in Java? ›

How to configure CDC Replication Java engines to disable specific cipher suites for TLS
  1. Create a java. ...
  2. Edit java.security and set jdk.tls.disabledAlgorithms to disable cipher suites. ...
  3. Create a dmts64. ...
  4. Edit dmts64.vmargs to specify the location of the supplementary java.security file.
Aug 6, 2019

Show Me More

How to disable TLS 1.0 and 1.1 in Java? ›

For Windows, do the following:
  1. Open the tomcat8w.exe GUI utility. It's path is C:\Program Files\JSS\Tomcat\bin\tomcat8w.exe.
  2. In the Apache Tomcat 8.5 Tomcat 8 Properties window, click the Java tab.
  3. Add the -Djdk. tls. client. protocols=TLSv1. 2 flag to the Java Options field.
  4. Click Apply.
  5. Click OK.
Dec 23, 2022

Read The Full Story
How do I enable TLS 1.2 Strong cipher suites? ›

Run a script to enable TLS 1.2 strong cipher suites
  1. Log in to the manager.
  2. Click Administration at the top.
  3. On the left, click Scheduled Tasks.
  4. In the main pane, click New.
  5. The New Scheduled Task Wizard appears.
  6. From the Type drop-down list, select Run Script.
Oct 7, 2022

See Details
How do I allow weak SSL TLS ciphers? ›

Step1: Login to WHM. Step2: Go to Home >> Service Configuration >> Exim Configuration Manager. Step3: Locate the option Allow weak SSL/TLS ciphers under the Security tab.

Get More Info Here
How do I enable newer ciphers TLS 1.2 +) in Web browsers? ›

  1. Open Internet Explorer.
  2. From the menu bar, click Tools > Internet Options > Advanced tab.
  3. Scroll down to Security category, manually check the option box for Use TLS 1.2.
  4. Click OK.
  5. Close your browser and restart Internet Explorer.

Continue Reading
How to configure TLS ciphers? ›

You can use the SSL Cipher Suite Order Group Policy settings to configure the default TLS cipher suite order.
  1. From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
  2. Double-click SSL Cipher Suite Order, and then click the Enabled option.
Feb 14, 2023

View More
How do I check my TLS and SSL settings? ›

How to identify if an SSL/TLS protocol is enabled/disabled
  1. Click Start or press the Windows key.
  2. In the Start menu, either in the Run box or the Search box, type regedit and press Enter. ...
  3. Navigate to follow the registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.

View Details
Is tls_aes_256_gcm_sha384 secure? ›

The block cipher uses a block size larger than 64 bits, so it is not vulnerable to sweet32 attack. message authentication code is a hashed message authentication code which is considered secure. The underlaying cryptographic hash function (Secure Hash Algorithm 2) is also considered secure.

See More
How do I know if my server has TLS 1.2 enabled? ›

How to check if TLS 1.2 is enabled? If the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault is present, the value should be 0.

Learn More
How do I enable TLS 1.2 on Windows Server? ›

Update and configure the . NET Framework to support TLS 1.2
  1. Determine . NET version. First, determine the installed . ...
  2. Install . NET updates. Install the . ...
  3. Configure for strong cryptography. Configure . NET Framework to support strong cryptography. ...
  4. SQL Server Native Client. Note.
Jan 29, 2023

Discover More Details
How do I disable TLS 1.0 and 1.1 and SSL? ›

You can disable TLS 1.0 and 1.1 in DS by explicitly setting the ssl-protocols allowed per connection handler. It is strongly recommended that you restrict the allowed protocols to TLSv1. 2 on the following connection handlers: LDAP, LDAPS, HTTPS and the Administrator Connector.

Show Me More

How do I disable TLS CBC ciphers? ›

Explicitly disable the CBC cipher by adding the :! CBC at the end of the SSL ciphers allowed in Configuration utility. Verify the change was made to the running configuration. Save the updated running configuration to disk.

Learn More Now
Which cipher suites should be disabled? ›

For the purpose of this blogpost, I'll stick to disabling the following ciphers suites and hashing algorithms:
  • RC2.
  • RC4.
  • MD5.
  • 3DES.
  • DES.
  • NULL.
  • All cipher suites marked as EXPORT.
Jul 30, 2019

Explore More
How do I check SSL TLS cipher suites in Windows? ›

To use group policy, configure SSL Cipher Suite Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings with the priority list for all cipher suites you want enabled. To use PowerShell, see TLS cmdlets.

Explore More
How do I check my SSL certificate encryption level? ›

How to check an SSL certificate in Chrome and Firefox
  1. Click the padlock icon in the address bar for the website.
  2. Click on Certificate (Valid) in the pop-up.
  3. Check the Valid from dates to validate the SSL certificate is current.

Continue Reading
How do I check my TLS handshake? ›

How to troubleshoot TLS handshake issues
  1. Method #1: Update your system's date and time.
  2. Method #2: Fix your Browser's configuration to match the Latest TLS Protocol Support.
  3. Method #3: Check and Change TLS Protocols [in Windows]
  4. Method #4: Verify Your Server Configuration [to Support SNI]

Read The Full Story
How do I turn off static key ciphers? ›

In summary to disable ssl-static-key-ciphers, you will need to remove RSA from the httpd configuration. To disable ssl-static-key-ciphers, you will need to add ! RSA to the httpd configuration.

Keep Reading
What is the impact of disabling weak ciphers? ›

The only way to protect from such an issue is to disable weak cipher suites on the server side. After disabling them, even if an attacker is able to tamper with the negotiation, the server will refuse to use a weak cipher and abort the connection.

Explore More
How do I disable weak SSL ciphers in IIS? ›

Procedure
  1. Create a new key called RC4 128/128 (Ciphers > New > KeyRC4 128/128).
  2. Right-click the key's name and create a new DWORD (32-bit) Value called 'Enabled'. (New > DWORD (32-bit) Value > Enabled).
  3. Leave the default value as '0'.

See Details
Top Articles
Add the Certificate Templates Snap-In
Manage certificate templates in Windows Server
GTC 2024: #1 AI Conference
Your Path To Success At GTCC
Latest Posts
A Guide to Server Certificates (2024 Update)
Certificate templates - MoodleDocs
Article information

Author: Stevie Stamm

Last Updated:

Views: 5744

Rating: 5 / 5 (60 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Stevie Stamm

Birthday: 1996-06-22

Address: Apt. 419 4200 Sipes Estate, East Delmerview, WY 05617

Phone: +342332224300

Job: Future Advertising Analyst

Hobby: Leather crafting, Puzzles, Leather crafting, scrapbook, Urban exploration, Cabaret, Skateboarding

Introduction: My name is Stevie Stamm, I am a colorful, sparkling, splendid, vast, open, hilarious, tender person who loves writing and wants to share my knowledge and understanding with you.