How to exclude ciphers from Foglight Management Server and Foglight Agent Manager (4304516)

How to exclude ciphers from Foglight the Management Server (FMS) and Foglight Agent Manager (FglAM)?

1. Exclude Ciphers from FMS (Foglight Management Server)

The ciphers list in [FMS_HOME]/server/tomcat/server.xml can be modified as needed to make FMS meet your security goals and maintain browser compatibility. Only the ciphers that are included in the list and supported by the SSL implementation will be used by the FMS.

Example:

ciphers="TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA"

Notes:

• If no ciphers are included in the server.xml file, it means all ciphers are allowed.
• Since the cipher suites indicates the kind of key exchange, which depends on the server certificate key type. The cipher suites added to the server.xml must also support the same key exchange algorithm as your SSL certificate, otherwise browsers and FglAMs will not be able to connect to your server.
• In order to list the certificates you can issue the command: [FMS_HOME]/jre/bin/keytool -keystore [FMS_HOME]/config/tomcat.keystore -storepass nitrogen -list -v.
• The FMS server.xml file can control the ciphers by protocol type and version. You define which ones are allowed depending on the vulnerability scan report and the cipher used by the SSL certificate. If necessary, allowed TLS versions can be defined in the same file; refer to KB Article 4288189.
• Foglight uses the Tomcat Keystore Ciphers, Foglight does not use System Keystore, so the ones that needs to be excluded are the Tomcat.
• Foglight references RFC ciphers, so OpenSSL ciphers must be referenced by their RFC name.  See: OpenSSL to RFC Mapping.

2. Exclude Ciphers from FGLAM (Agent Manager) Concentrator

It is possible to exclude SSL cipher suites from both upstream Agent Manager connections (to the Management Server or an Agent Manager concentrator), or downstream connections (as a concentrator).

If you need to exclude one or more ciphers from the SSL encryption used for SSL connections, you can do so using one or more excluded-ssl-cipher elements in the fglam.config.xml configuration file. For example, you may want to exclude lower encryption strength ciphers, or ciphers with security vulnerabilities.

To exclude specific SSL ciphers from an upstream connection:

1. Open the [FGLAM_HOME]/state/default/config/fglam.config.xml file for editing.
2. Between the existing <config:http-upstreams> and </config:http-upstreams> tags, add an <config:http-upstream/> child element::

   <config:http-upstream url="https://secure_server_URL:port_number">
   <config:excluded-ssl-cipher name="SSL_RSA_WITH_RC4_128_MD5"/>
   <config:excluded-ssl-cipher name="SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"/>
   <config:excluded-ssl-cipher name="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>
   </config:http-upstream>

3. Save your changes.
4. Restart the Agent Manager.

To exclude specific SSL protocols from a downstream connection:

If you need to exclude one or more protocols from the SSL protocol negotiation you can do so using one or more excluded-ssl-protocol elements. Some common values are SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2.

If none are specified, then SSLv2Hello and SSLv3 are disabled by default. Otherwise only those protocols listed will be excluded.

For example:

<config:https-downstream port="port_number">
<config:excluded-ssl-cipher name="SSL_RSA_WITH_RC4_128_MD5"/>
<config:excluded-ssl-cipher name="SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"/>
<config:excluded-ssl-cipher name="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>
</config:https-downstream>

For more information, see the relevant sections in the latest version of the Foglight Agent Manager Guide, available on the Support Portal:

• Excluding SSL ciphers from upstream or downstream Connections
• Excluding Specific SSL Protocols from Downstream Connections

Note: Remember to get a back up of these configuration files before doing any editing.