How to change or disable TLS and Weak Ciphers and Protocols on VIP Enterprise Gateway
Last Updated June 18, 2019
This article describes how to change the cipher list and Transport Layer Security (TLS) in the following versions:
VIP Enterprise Gateway 9.8.x, 9.7.x, 9.6.x
VIP SSP IDP Proxy 9.6.x, 9.7.x
VIP ENTERPRISE GATEWAY 9.8.x, 9.7.x, 9.6.x
By default, SSL protocol versions 2.0 and 3.0 are considered weak and are restricted in the BlacklistedProtocols.properties exclusion file. Weak ciphers (ciphers with a key length < 128 bits) are restricted in the weakciphers.properties exclusion file. Both files can be manually modified to restrict additional protocols or ciphers.
- Modifying the Transport Layer Security (TLS) Protocols
The BlacklistedProtocols properties file (\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\conf\BlacklistedProtocols.properties) can be modified to include additional TLS versions. To do this, add the protocol to the bottom of the list using a standard text editor. Save the file, and restart the Enterprise Gateway. Always create a backup of the original file before making changes.
- Modifying the Weak Ciphers list for the Self Service Portal (SSP)
Follow these steps to restrict ciphers on the Self Service Portal (SSP) IdP, VIP Manager IdP, and the VIP Enterprise Gateway:
Important: Symantec recommends always running the latest available VIP software. Run LiveUpdate from the VIP EG console, or manually download updates from https://manager.vip.com.
Stop the following applicable VIP Services:
Symantec Self Service Portal Service
Symantec LDAP DirSync Service
All Symantec Validation Authentication Services
Symantec VIP Manager Service
Symantec Enterprise Gateway Service
Rename the current weakciphers.properties located at <VIPEG_INSTALLATION>/conf/weakciphers.properties.
Download the attached weakciphers.properties file into this same folder.
Restart the Enterprise Gateway.
The weakciphers.properties file contains two sections: #Weak SSL Ciphers and #Weak TLS Ciphers. Additional ciphers can be blocked by adding them to this list (IANA format). Always create a backup of the original file before making changes.
- Rollback procedures for VIP Enterprise Gateway 9.7 or VIP Enterprise Gateway 9.8
Perform these steps if the above solution fails:
Stop the following services, if applicable:
Self Service Portal IdP
VIP Manager IdP
LDAP sync service.
All Validation Services
VIP Enterprise Gateway Service
Restore the previously backed-up weakciphers.properties to the <VIPEG_INSTALLATION>/conf/ folder.
In the SSP IdP Proxy, by default, SSL protocol versions 2.0 and 3.0 are considered weak and are listed in the jetty.xml file located at SSP IDP Proxy Home/server/etc. The jetty.xml file can be modified to restrict any TLS protocol such as SSL or weak cipher such as RC4 when potential vulnerabilities are detected.
- Modifying the VIP SSP IDP Proxy
(Note: VIP Self-Service Portal IdP proxy prior to 9.7 should update the VIP Enterprise Gateway and proxy to version 9.7 or higher before applying these steps. The weak cipher concept is not available in older versions or supports only limited blacklisting capabilities of weak cipher suites).
Follow these steps to modify the VIP Self Service IdP Proxy component:
Update the weakciphers.properties by following the instruction above.
Stop the VIP Self Service IdP Proxy service through the Microsoft Management Console.
Create a backup of the jetty.xml located at <SSP_PROXY_INSTALLATION>/server/etc/
Download the jetty.xml file attached to this article and save it to this folder.
Save the file.
Restart the VIP Self Service IDP Proxy service.
If problems occur, revert to the backed-up jetty.xml, then restart service.
Additional protocols and cipher suites can be restricted by modifying jetty.xml using a standard text editor