The transition to NetApp MS Azure AD B2C is complete. If you missed the pre-registration, you will be invited to reigister at next log in.
Please note that access to your NetApp data may take up to 1 hour.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

DFM SSL weak ciphers

kofchur

I just had a security scan and was dinged on SSL ciphers in DFM that were less than 128-bit.  So, I know that I can invoke openssl on my DFM server and change this, but is it OK to do so?  I want to invoke the following to shut off all ciphers below 128-bit:

openssl ciphers -v SSLv3+MEDIUM+HIGH:!SSLv2:!aNULL:!eNULL:@STRENGTH

Or, do we have a better proceedure in place?  Thanks.

-todd

1 ACCEPTED SOLUTION

kofchur

Ok, I got it it figured out:

1) edit the ../DFM/conf/http.conf.tmpl file and add the following two lines that are indicated in bold, which will only allow encryption cyphers of 256:

...

@@HTTPS_BEGIN@@

...

          <VirtualHost_default_:@@HTTPS_PORT@@>>

                         AddType                    application/x-x509-ca-cert          .crt

                         AddType                    application/x-pkcs7-crl  .crt

                         SSLProtocol -all +SSLv3

                         SSLCipherSuite SSLv3:+HIGH:-MEDIUM:-LOW:-EXP

                         <IfModule mod_ssl.c>

...

2)  stop and restart http service:   dfm service stop http; dfm service start http

View solution in original post

2 REPLIES 2

kofchur

Ok, I got it it figured out:

1) edit the ../DFM/conf/http.conf.tmpl file and add the following two lines that are indicated in bold, which will only allow encryption cyphers of 256:

...

@@HTTPS_BEGIN@@

...

          <VirtualHost_default_:@@HTTPS_PORT@@>>

                         AddType                    application/x-x509-ca-cert          .crt

                         AddType                    application/x-pkcs7-crl  .crt

                         SSLProtocol -all +SSLv3

                         SSLCipherSuite SSLv3:+HIGH:-MEDIUM:-LOW:-EXP

                         <IfModule mod_ssl.c>

...

2)  stop and restart http service:   dfm service stop http; dfm service start http

View solution in original post

arjunan

how do i configure if i want to use cipher strength LOW which is below 128 bit in DFM server ?

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public