topic Re: Cluster Active Gate exclude cipher suits in Open Q&A

Cluster Active Gate exclude cipher suits

Mizső — Wed, 01 Feb 2023 08:11:00 GMT

Hi Folks,

At one of our customers we should exclude some cipher suites from the Cluster Active Gate (with public internet leg).

We have followed the documentation and tried 3 types configuration of exluding 3DES chiper suites without success. We have checked the results with nmap, but nothing has changed after the CAG configuration and restart.

Cipher configuration for ActiveGate | Dynatrace Docs

We always made a change in the CAG config.properties file. These were the 3 types change method.

1. [com.compuware.apm.webserver]

excluded-ciphers = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA

2. [com.compuware.apm.webserver]

excluded-ciphers = TLS_DHE_RSA_WITH_3DES_

excluded-ciphers = TLS_ECDHE_RSA_WITH_3DES_

excluded-ciphers = TLS_RSA_WITH_3DES_

3. [com.compuware.apm.webserver]

excluded-ciphers = _3DES_

The results always were the same after restart of the CAG (we tried stop and start also beside restart option). 3DES chiper suites were still available.

nmap -sV --script ssl-enum-ciphers -p 443 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2023-01-19 10:24 CET

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000042s latency).

rDNS record for 127.0.0.1: localhost.localdomain

PORT STATE SERVICE VERSION

443/tcp open ssl/http Apache httpd

| ssl-enum-ciphers:

| SSLv3: No supported ciphers found

| TLSv1.0:

| ciphers:

| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

| compressors:

| NULL

| TLSv1.1:

| ciphers:

| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

| compressors:

| NULL

| TLSv1.2:

| ciphers:

| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong

| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong

| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong

| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong

| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong

| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA - strong

| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong

| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong

| TLS_RSA_WITH_AES_256_CBC_SHA - strong

| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong

| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong

| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

| compressors:

| NULL

|_ least strength: strong

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 17.69 seconds

Does anyone have experience with it?

Thanks in advance.

Best regards,

Mizső

Re: Cluster Active Gate exclude chiper suits

Babar_Qayyum — Tue, 31 Jan 2023 13:35:56 GMT

Hello @Mizső

If I am not mistaken. You will have to change the configuration in the custom.properties file to exclude the unwanted ciphers.

Regards,

Babar

Re: Cluster Active Gate exclude chiper suits

Mizső — Tue, 31 Jan 2023 14:22:17 GMT

Hi @Babar_Qayyum,

Above mentioned configuration changes were made in the CAG custom.properies file.

Best regards,

Mizső

Re: Cluster Active Gate exclude chiper suits

Babar_Qayyum — Tue, 31 Jan 2023 17:17:50 GMT

Hello @Mizső

I pointed out the file after reading "We always made a change in the CAG config.properties file. " the statement.

I remember that I have already excluded weak or unwanted ciphers. I will check tomorrow to share with you the exact method.

Regards,

Babar

Re: Cluster Active Gate exclude chiper suits

Mizső — Tue, 31 Jan 2023 17:57:17 GMT

Hi @Babar_Qayyum,

It would be nice.

In my original post I made a typo. So we also made a change is custom.properties file, we followed the documnetation.

Best regards,

Mizső

Re: Cluster Active Gate exclude chiper suits

Babar_Qayyum — Wed, 01 Feb 2023 07:36:48 GMT

Hello @Mizső

The following is configured in the custom.properties. Did you restart the cluster after the configurtion?

[com.compuware.apm.webserver]
ssl‑protocols = TLSv1.2
excluded-ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Regards,

Babar

Re: Cluster Active Gate exclude chiper suits

Mizső — Wed, 01 Feb 2023 07:42:27 GMT

Hi Babar,

Many thans for your switf response.

There were a restart but only process level not host level.

systemctl stop dynatracegateway

systemctl start dynatracegateway

I am going to try to restart the cluster active gate host after the configuration.

Best regards,

Mizső

Re: Cluster Active Gate exclude cipher suits

Mizső — Thu, 02 Feb 2023 18:03:56 GMT

Hi @Babar_Qayyum,

It is solved. There was a problem with the affected AG. Somehow the clinet istalled an Apache to this AG host beside the DT components. I did not expect this. There was not hardening on the Apache thats why we saw the 3ds chiper suits with nmap. Finally Apache have been disabled and problem solved... 😉

Thanks for your support.

Best regards,

Mizső

Re: Cluster Active Gate exclude cipher suits

Babar_Qayyum — Thu, 02 Feb 2023 18:36:53 GMT

Hello @Mizső

Thank you for sharing the update 🙂

Regards,

Babar

Re: Cluster Active Gate exclude cipher suits

AntonioSousa — Fri, 03 Feb 2023 08:43:54 GMT

@Mizső,

For clients with important security needs, the list that @Julius_Loman compiled is awesome:
https://community.dynatrace.com/t5/Dynatrace-tips/Public-endpoint-for-the-Cluster-ActiveGate/td-p/202652

Re: Cluster Active Gate exclude cipher suits

Mizső — Fri, 03 Feb 2023 08:49:45 GMT

Hi @AntonioSousa,

Thanks very much. The link marked as favourite in my browser. 😉

Best regards,

Mizső