Knowledge Base

cancel
Showing results for 
Search instead for 
Did you mean: 

How do I set the security protocol and update the cipher suites used by the EUM Server?

Similar to the steps outlined in the Set the Security Protocol document for the Controller, you can also set the security protocol or update the existing security protocol used by the EUM Server. The document link above refers to changing these settings for the Controller. However, these can be applied when setting the JRE security protocol for the EUM Server. The location of the JRE installation and java.security file for the EUM Server is the major difference to keep in mind when following the steps for the Controller. The process is still the same.

 

To enable encryption keys up to 256-bit in the EUM Server, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files within the EUM Server's embedded Java runtime. 

 

  1. Download the Unlimited Strength Jurisdiction Policy Files from the following location:
    http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html 

  2. Stop the EUM app server.

  3. Install the policy files in the JRE installed under the EUM Server's "Installation Path".

  4. Start the EUM app server. 

 

After restarting the EUM app server, the following cipher suites become available:

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA

If you want to modify the cipher suites, you can use the following steps. Please note that the example below shows how you would disable the DES cipher.

 

  1. Download the Unlimited Strength Jurisdiction Policy Files from the following location:
    http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html.

  2. Extract the contents of the downloaded policy files.

  3. Stop the EUM app server.

  4. Make a copy of the original JCE policy files (US_export_policy.jar and local_policy.jar).

  5. Replace the strong policy files in EUM Server's <java-home>\lib\security directory with the unlimited strength versions extracted during Step 2.

  6. From the EUM Server's <java-home>\lib\security directory, make a copy of the java.security file and add the line jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, DES RSA keySize < 2048 to the original file.

  7. Save the changes.

  8. Start the EUM app server.


As always, when making a change that will affect the availability and security of a production environment, we recommend testing in a development/pre-prod environment first to ensure you get the results you expect. Once verified outside of production, you can then follow the same steps in the live production environment. Precautionary measures such as backing up the original file before modification are always a good idea. 


0 Kudos