Changing FIPS-140 network ciphers
The network ciphers can be updated if stronger protection for communication is desired. Although, the network ciphers are independent of FIPS-140 mode, both the unlimited strength policy files and cryptography library are required to modify the network ciphers.
The following topics provide information and instruction for changing FIPS-140 network ciphers:
Default location for the server.xml file
The ciphers that the Transport Layer Security (TLS) protocol uses can be adjusted by editing the BMC Atrium Single Sign-On server.xml file. This file is located at the following default locations:
- (Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\tomcat\conf
- (UNIX) /opt/bmc/AtriumSSO/tomcat/conf
To modify the server.xml file
- Make a backup copy of the server.xml file.
- Open the server.xml file in your favorite text editor.
- Search for the Connector tag with the attribute scheme="https".
- Modify the cipher attribute by adding or removing items.
Multiple ciphers example
In the following example, the FIPS-140 version of the server.xml file has multiple ciphers:
<!-- FIPS140 -->
<Connector port="<at:var at:name="TOMCAT_HTTPS_PORT" />" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521, TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
keystoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/keystore.p12"
keystorePass="internal4bmc"
keystoreType="PKCS12"
keystoreProvider="JsafeJCE"
truststoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/cacerts.p12"
truststorePass="changeit"
truststoreType="PKCS12"
truststoreProvider="JsafeJCE" />
Single cipher example
In the following example, the FIPS-140 version of the server.xml file has a single cipher (TLS_RSA_WITH_3DES_EDE_CBC_SHA).
<!-- FIPS140 -->
<Connector port="<at:var at:name="TOMCAT_HTTPS_PORT" />" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
ciphers="TLS_RSA_WITH_3DES_EDE_CBC_SHA"
keystoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/keystore.p12"
keystorePass="internal4bmc"
keystoreType="PKCS12"
keystoreProvider="JsafeJCE"
truststoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/cacerts.p12"
truststorePass="changeit"
truststoreType="PKCS12"
truststoreProvider="JsafeJCE" />
Comments
Log in or register to comment.