cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cluster Active Gate exclude cipher suits

Mizső
DynaMight Leader
DynaMight Leader

Hi Folks,

At one of our customers we should exclude some cipher suites from the Cluster Active Gate (with public internet leg). 

We have followed the documentation and tried 3 types configuration of exluding 3DES chiper suites without success. We have checked the results with nmap, but nothing has changed after the CAG configuration and restart.

Cipher configuration for ActiveGate | Dynatrace Docs

We always made a change in the CAG config.properties file. These were the 3 types change method.

1. [com.compuware.apm.webserver]

excluded-ciphers = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA

OR

2. [com.compuware.apm.webserver]

excluded-ciphers = TLS_DHE_RSA_WITH_3DES_

excluded-ciphers = TLS_ECDHE_RSA_WITH_3DES_

excluded-ciphers = TLS_RSA_WITH_3DES_

OR

3. [com.compuware.apm.webserver]

excluded-ciphers = _3DES_

 

The results always were the same after restart of the CAG (we tried stop and start also beside restart option). 3DES chiper suites were still available. 

nmap -sV --script ssl-enum-ciphers -p 443 localhost

 

Starting Nmap 6.40 ( http://nmap.org ) at 2023-01-19 10:24 CET

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000042s latency).

rDNS record for 127.0.0.1: localhost.localdomain

PORT    STATE SERVICE  VERSION

443/tcp open  ssl/http Apache httpd

| ssl-enum-ciphers:

|   SSLv3: No supported ciphers found

|   TLSv1.0:

|     ciphers:

|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|     compressors:

|       NULL

|   TLSv1.1:

|     ciphers:

|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|     compressors:

|       NULL

|   TLSv1.2:

|     ciphers:

|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong

|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong

|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong

|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong

|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong

|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong

|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong

|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|     compressors:

|       NULL

|_  least strength: strong

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 17.69 seconds

Does anyone have experience with it?

Thanks in advance.

Best regards,

Mizső

Certified Dynatrace Professional
10 REPLIES 10

Babar_Qayyum
DynaMight Guru
DynaMight Guru

Hello @Mizső 

If I am not mistaken. You will have to change the configuration in the custom.properties file to exclude the unwanted ciphers.

Regards,

Babar

Hi @Babar_Qayyum,

Above mentioned configuration changes were made in the CAG custom.properies file.

Best regards,

Mizső

Certified Dynatrace Professional

Hello @Mizső 

I pointed out the file after reading "We always made a change in the CAG config.properties file. " the statement. 

I remember that I have already excluded weak or unwanted ciphers. I will check tomorrow to share with you the exact method. 

Regards,

Babar

Hi @Babar_Qayyum,

It would be nice.

In my original post I made a typo. So we also made a change is custom.properties file, we followed the documnetation.

Best regards,

Mizső 

Certified Dynatrace Professional

Hello @Mizső 

The following is configured in the custom.properties. Did you restart the cluster after the configurtion?

[com.compuware.apm.webserver]
ssl‑protocols = TLSv1.2
excluded-ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Regards,

Babar

Hi Babar,

Many thans for your switf response.

There were a restart but only process level not host level.

systemctl stop dynatracegateway

systemctl start dynatracegateway

I am going to try to restart the cluster active gate host after the configuration.

Best regards,

Mizső

Certified Dynatrace Professional

Mizső
DynaMight Leader
DynaMight Leader

Hi @Babar_Qayyum,

It is solved. There was a problem with the affected AG. Somehow the clinet istalled an Apache to this AG host beside the DT components. I did not expect this. There was not hardening on the Apache thats why we saw the 3ds chiper suits with nmap. Finally Apache have been disabled and problem solved... 😉

Thanks for your support.

Best regards,

Mizső

Certified Dynatrace Professional

Hello @Mizső 

Thank you for sharing the update 🙂

Regards,

Babar

AntonioSousa
DynaMight Guru
DynaMight Guru

@Mizső,

For clients with important security needs, the list that @Julius_Loman compiled is awesome:
https://community.dynatrace.com/t5/Dynatrace-tips/Public-endpoint-for-the-Cluster-ActiveGate/td-p/20...

Antonio Sousa

Mizső
DynaMight Leader
DynaMight Leader

Hi @AntonioSousa,

Thanks very much. The link marked as favourite in my browser. 😉

Best regards,

Mizső

Certified Dynatrace Professional

Featured Posts