How to Disable Weak Ciphers in Dell Security Management Server and Virtual Server

Summary: This article provides information about how to disable weak ciphers on Dell Security Management Server (formerly Dell Data Protection | Enterprise Edition) and Dell Security Management Server Virtual (formerly Dell Data Protection | Virtual Edition). ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Affected Products:

  • Dell Security Management Server
  • Dell Data Protection | Enterprise Edition
  • Dell Security Management Server Virtual
  • Dell Data Protection | Virtual Edition

Cause

Not Applicable

Resolution

During the initial Enterprise Edition install, after we have input the SQL hostname and database name, the following errors appear:

Dell Security Management Server

  • Disable RC4/DES/3DES cipher suites in Windows using registry, Group Policy Object (GPO), or local security settings.

    • You can do this using GPO or Local security policy under Computer configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order.

    • Set this policy to enable. Each cipher suite should be separated with a comma. Remove as needed based on the list below.

    • To disable based on registry, reference this article:

  • Modify the Compliance Reporter settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Compliance Reporter\conf\eserver.properties

    • Set

eserver.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_
WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_
WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save;

  • Modify the Console Web Services settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Console Web Services\conf\eserver.properties

    Note: Starting in 9.2 the console web service is no longer present.
    • Set
eserver.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save

  • Modify the Device Server settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Device Server\conf\spring-jetty.xml

    • Update the list in this section to exclude the vulnerable cipher suites. A list of suggested excluded cipher suites below.

    • Save

  • Modify the Security Server settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Security Server\conf\spring-jetty.xml

    • Update the list in both sections to exclude the vulnerable cipher suites. A list of suggested excluded cipher suites below.

    • Save

  • If Windows settings were changed, reboot back-end DDP|E server. If Windows settings were not changed, stop all DDP|E Windows services, and then start the services again.

  • Check for any stopped services.

  • Test new endpoint activation

  • Test a Remote Management Console thick client (if TLS1.0 is enabled in Windows).

  • Test Silverlight Console

Windows Secure Cipher Suites suggested inclusion list

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P521

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

Jetty Weak Cipher Suites suggested Exclusion list

<list>

<value>SSL_RSA_WITH_RC4_128_MD5</value>

<value>SSL_RSA_WITH_RC4_128_SHA</value>

<value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value>

<value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</value>

<value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</value>

<value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</value>

<value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</value>

<value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</value>

<value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</value>

<value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value>

<value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value>

<value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value>

<value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value>

<value>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</value>

<value>SSL_RSA_WITH_RC4_128_SHA</value>

<value>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</value>

<value>TLS_ECDH_RSA_WITH_RC4_128_SHA</value>

<value>SSL_RSA_WITH_RC4_128_MD5</value>

<value>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</value>

<value>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</value>

<value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value>

<value>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</value>

<value>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</value>

</list>
Note: For more information, reference How to Disable TLS 1.0 and TLS 1.1 on Dell Security Management Server and Dell Security Management Server Virtual.

Dell Security Management Server Virtual

  • Modify the Compliance Reporter settings to only allow modern cipher suites at this location: /opt/dell/server/reporter/conf/eserver.properties

    • Set

eserver.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_
WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_
WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save

  • Modify the Console Web Services settings to only allow modern cipher suites at this location: /opt/dell/server/console-web-services/conf/eserver.properties

    Note: Starting in 9.2 the console web service is no longer present.
    • Set
eserver.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

  • Save

  • Modify the Device Server settings to only allow modern cipher suites at this location: /opt/dell/server/security-server/conf/spring-jetty.xml
    • Update the list in this section to exclude the vulnerable cipher suites. A list of suggested excluded cipher suites below.
    • Save
    • Modify the Security Server settings to only allow modern cipher suites at this location: /opt/dell/server/security-server/conf/spring-jetty.xml

      • Update the list in both sections to exclude the vulnerable cipher suites. A list of suggested excluded cipher suites below.

      • Save
      • Reboot the DDP | VE server.
      • Check for any stopped services.
      • Test new endpoint activation
      • Test a Remote Management Console thick client (if TLS1.0 is enabled in Windows).
Note: For more information, reference How to Disable TLS1.0 and TLS1.1 on Dell Security Management Server and Dell Security Management Server Virtual.

Jetty Weak Cipher Suites suggested Exclusion list.

<list>

<value>SSL_RSA_WITH_RC4_128_MD5</value>

<value>SSL_RSA_WITH_RC4_128_SHA</value>

<value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value>

<value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</value>

<value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</value>

<value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</value>

<value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</value>

<value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</value>

<value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</value>

<value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value>

<value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value>

<value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value>

<value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value>

<value>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</value>

<value>SSL_RSA_WITH_RC4_128_SHA</value>

<value>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</value>

<value>TLS_ECDH_RSA_WITH_RC4_128_SHA</value>

<value>SSL_RSA_WITH_RC4_128_MD5</value>

<value>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</value>

<value>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</value>

<value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value>

<value>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</value>

<value>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</value>

</list>

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

Affected Products

Dell Encryption
Article Properties
Article Number: 000126232
Article Type: Solution
Last Modified: 04 Mar 2024
Version:  8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.