The ciphers list in [FMS_HOME]/server/tomcat/server.xml can be modified as needed to make FMS meet your security goals and maintain browser compatibility. Only the ciphers that are included in the list and supported by the SSL implementation will be used by the FMS.
./keytool -keystore /Foglight_Home/config/tomcat.keystore -storepass nitrogen -list –v
Example: ./checksslcipheravail.sh localhost 8443
It is possible to exclude SSL cipher suites from both upstream Agent Manager connections (to the Management Server or an Agent Manager concentrator), or downstream connections (as a concentrator).
If you need to exclude one or more ciphers from the SSL encryption used for SSL connections, you can do so using one or more excluded-ssl-cipher elements in the fglam.config.xml configuration file. For example, you may want to exclude lower encryption strength ciphers, or ciphers with security vulnerabilities.
If you need to exclude one or more protocols from the SSL protocol negotiation you can do so using one or more excluded-ssl-protocol elements. Some common values are SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2.
If none are specified, then SSLv2Hello and SSLv3 are disabled by default. Otherwise only those protocols listed will be excluded.
For additional information, refer to the Foglight Agent Manager Guide:
Note: Remember to get a back up of these configuration files before doing any editing.
Foglight - Security and Compliance Guide
Foglight Agent Manager
In order to list the certificates on the Agent Manager, you can issue the following command from this directory: \Quest_Software\FGLAM\jre\1.x\jre\bin>
keytool -list -v -keystore C:\Quest_Software\FGLAM\jre\1.x\jre\lib\security\cacerts