Monthly Archives: March 2017

Script to automate lock down of all EM13cR2 agents to HIGH strength ciphersuites

[EDIT 20170420: Upgraded script to version 1.1. No functionality changes, but added instructions to download+install unlimited strength policy .jar files to allow the use of even stronger ciphersuites such as TLS_RSA_WITH_AES_256_CBC_SHA256.]
This post releases a new script, secure_agent_ciphersuites.sh, which uses EMCLI to set the SSLCipherSuites agent property on all EM13c R2 agents to the value “SSL_RSA_WITH_3DES_EDE_CBC_SHA”, in order to lock agent endpoints down to HIGH strength ciphersuites. By default, EM13c R2 agents allow two MEDIUM strength ciphersuites in addition to the one HIGH strength: SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_RC4_128_SHA. If you login to EMCLI as SYSMAN and have preferred host credentials configured, then run this script, it will identify all of your agents, set SSLCipherSuites as needed, and restart agents to bring them into compliance.

This script supplements my existing script to lock down EM13c agents to TLSv1.2 and configured your agents in a way that passes the security checks implemented in my EM13c R2 security checkup script.

Advertisements