To enhance the security of the Change Guardian web server, configure strong ciphers for SSL/TLS communication by excluding weaker cipher suites.
To Configure SSL/TLS Cipher Settings:
Login to the Change Guardian server’s SSH console.
Navigate to the Jetty configuration directory.
/etc/opt/novell/sentinel/3rdparty/jetty
Create a backup of the jetty.xml file.
Locate and open the jetty-ssl-context.xml file in a text editor.
Add the CBC ciphers to the excluded cipher suites within the <Set name="ExcludeCipherSuites"> section.
Example 3-2 The Configuration
<Array type="String">
<Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item>
<Item>TLS_RSA_WITH_AES_256_CBC_SHA256</Item>
<Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
</Array>
</Set>
Save your changes.
Restart the Change Guardian services to apply the configuration.
/opt/netiq/cg/scripts/cg_services.sh restart.
After completing these steps, run a DAST scan with WebInspect to verify the issue has been resolved.
If you do not want CBC ciphers enabled for the below ports, you can block or disable external access to the ports at the firewall level. This action ensures that CBC cipher usage is restricted to internal communications only, reducing external exposure.
Ports:
1590/tcp
7443/tcp
61616/tcp
You can configure your firewall to restrict external access to these ports based on your system’s requirements and firewall tools.