How to exclude Ciphers from Foglight the Management Server and Foglight Agent Manager (4304516)

1. Exclude Ciphers from FMS (Foglight Management Server)

The ciphers list in [FMS_HOME]/server/tomcat/server.xml can be modified as needed to make FMS meet your security goals and maintain browser compatibility. Only the ciphers that are included in the list and supported by the SSL implementation will be used by the FMS.

Example:

ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,

TLS_DHE_RSA_WITH_AES_256_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

Notes:

• If no ciphers are included in the server.xml file, it means all ciphers are allowed.
• Since the cipher suites indicates the kind of key exchange, which depends on the server certificate key type. The cipher suites added to the server.xml must also support the same key exchange algorithm as your SSL certificate, otherwise browsers and FGLAMS (Agent Managers) will not be able to connect to your server.
• In order to list the certificates you can issue the following command from this directory: Quest_Software\Foglight\jre\bin>

./keytool -keystore /Foglight_Home/config/tomcat.keystore -storepass nitrogen -list –v

• The FMS server.xml file can control the Ciphers by protocol type and version. You define which ones are allowed depending on Vulnerability scan Report and the Cipher used by the SSL certificate. TLS version could be removed from Server.xml; refer to KB Article : How to disable SSL v3 and enforce TLS 1.2 for HTTPS connections on the FMS (155075)
• To check what ciphers are available after changes, run the attached script checksslcipheravail.sh.

Example: ./checksslcipheravail.sh localhost 8443

• Foglight uses the Tomcat Keystore Ciphers, Foglight does not use System Keystore, so the ones that needs to be excluded are the Tomcat.
• Foglight references RFC ciphers, so OpenSSL ciphers must be referenced by their RFC name.  See OpenSSL to RFC Mapping
• For Ciphers TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA name prefix should be SSL_ not TLS_ when configure them for exclusion. This seems to be Java Bug JDK-8152623.
• Before Foglight 5.9.x tomcat.keystore is located in: /Foglight_Home/server/default/conf/tomcat.keystore

2. Exclude Ciphers from FGLAM (Agent Manager) Concentrator

It is possible to exclude SSL cipher suites from both upstream Agent Manager connections (to the Management Server or an Agent Manager concentrator), or downstream connections (as a concentrator).

If you need to exclude one or more ciphers from the SSL encryption used for SSL connections, you can do so using one or more excluded-ssl-cipher elements in the fglam.config.xml configuration file. For example, you may want to exclude lower encryption strength ciphers, or ciphers with security vulnerabilities.

To exclude specific SSL ciphers from an upstream connection:

1. Open the [fglam_home]/state/default/config/fglam.config.xml file for editing.
2. Between the existing and tags, add an child element:

<config:excluded-ssl-cipher name="SSL_RSA_WITH_RC4_128_MD5"/>
<config:excluded-ssl-cipher name="SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"/>
<config:excluded-ssl-cipher name="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>

2. Save your changes.
3. Restart the Agent Manager.

To exclude specific SSL protocols from a downstream connection:

If you need to exclude one or more protocols from the SSL protocol negotiation you can do so using one or more excluded-ssl-protocol elements. Some common values are SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2.

If none are specified, then SSLv2Hello and SSLv3 are disabled by default. Otherwise only those protocols listed will be excluded.

For example:

<https-downstream port="8443"/>
<excluded-ssl-protocol name="SSLv2Hello"/>
<excluded-ssl-protocol name="SSLv3"/>
<excluded-ssl-protocol name="TLSv1"/>

For additional information, refer to the Foglight Agent Manager Guide:

• Excluding SSL ciphers from upstream or downstream Connections
• Excluding Specific SSL Protocols from Downstream Connections

Note:  Remember to get a back up of these configuration files before doing any editing.

Foglight - Security and Compliance Guide

Enabling FIPS 140-2 mode for HTTPS traffic

Foglight Agent Manager

In order to list the certificates on the Agent Manager, you can issue the following command from this directory: \Quest_Software\FGLAM\jre\1.x\jre\bin>

keytool -list -v -keystore C:\Quest_Software\FGLAM\jre\1.x\jre\lib\security\cacerts