This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Changing FIPS-140 network ciphers

The network ciphers can be updated if stronger protection for communication is desired. Although, the network ciphers are independent of FIPS-140 mode, both the unlimited strength policy files and cryptography library are required to modify the network ciphers.

The following topics provide information and instruction for changing FIPS-140 network ciphers:

Default location for the server.xml file

The ciphers that the Transport Layer Security (TLS) protocol uses can be adjusted by editing the BMC Atrium Single Sign-On server.xml file. This file is located at the following default locations:

  • (Microsoft Windows) C:\Program Files\BMC Software\AtriumSSO\tomcat\conf
  • (UNIX) /opt/bmc/AtriumSSO/tomcat/conf

To modify the server.xml file

  1. Make a backup copy of the server.xml file.
  2. Open the server.xml file in your favorite text editor.
  3. Search for the Connector tag with the attribute scheme="https".
  4. Modify the cipher attribute by adding or removing items.

Multiple ciphers example

In the following example, the FIPS-140 version of the server.xml file has multiple ciphers:

<!-- FIPS140 -->
<Connector port="<at:var at:name="TOMCAT_HTTPS_PORT" />" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    ciphers="TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521, TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
    keystoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/keystore.p12"
    keystorePass="internal4bmc"
    keystoreType="PKCS12"
    keystoreProvider="JsafeJCE"
    truststoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/cacerts.p12"
    truststorePass="changeit"
    truststoreType="PKCS12"
    truststoreProvider="JsafeJCE" />

Single cipher example

In the following example, the FIPS-140 version of the server.xml file has a single cipher (TLS_RSA_WITH_3DES_EDE_CBC_SHA).

<!-- FIPS140 -->
<Connector port="<at:var at:name="TOMCAT_HTTPS_PORT" />" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    ciphers="TLS_RSA_WITH_3DES_EDE_CBC_SHA"
    keystoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/keystore.p12"
    keystorePass="internal4bmc"
    keystoreType="PKCS12"
    keystoreProvider="JsafeJCE"
    truststoreFile="C:\Program Files\BMC Software\AtriumSSO\tomcat/conf/cacerts.p12"
    truststorePass="changeit"
    truststoreType="PKCS12"
    truststoreProvider="JsafeJCE" />
Was this page helpful? Yes No Submitting... Thank you

Comments