This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cluster Active Gate exclude cipher suits

Go to solution
Mizső
DynaMight Guru
DynaMight Guru

‎31 Jan 2023 12:42 PM - last edited on ‎01 Feb 2023 08:11 AM by Dynatrace Leader

Hi Folks,

At one of our customers we should exclude some cipher suites from the Cluster Active Gate (with public internet leg). 

We have followed the documentation and tried 3 types configuration of exluding 3DES chiper suites without success. We have checked the results with nmap, but nothing has changed after the CAG configuration and restart.

Cipher configuration for ActiveGate | Dynatrace Docs

We always made a change in the CAG config.properties file. These were the 3 types change method.

1. [com.compuware.apm.webserver]

excluded-ciphers = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA

OR

2. [com.compuware.apm.webserver]

excluded-ciphers = TLS_DHE_RSA_WITH_3DES_

excluded-ciphers = TLS_ECDHE_RSA_WITH_3DES_

excluded-ciphers = TLS_RSA_WITH_3DES_

OR

3. [com.compuware.apm.webserver]

excluded-ciphers = _3DES_

 

The results always were the same after restart of the CAG (we tried stop and start also beside restart option). 3DES chiper suites were still available. 

nmap -sV --script ssl-enum-ciphers -p 443 localhost

 

Starting Nmap 6.40 ( http://nmap.org ) at 2023-01-19 10:24 CET

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000042s latency).

rDNS record for 127.0.0.1: localhost.localdomain

PORT    STATE SERVICE  VERSION

443/tcp open  ssl/http Apache httpd

| ssl-enum-ciphers:

|   SSLv3: No supported ciphers found

|   TLSv1.0:

|     ciphers:

|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|     compressors:

|       NULL

|   TLSv1.1:

|     ciphers:

|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|     compressors:

|       NULL

|   TLSv1.2:

|     ciphers:

|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong

|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong

|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong

|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong

|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong

|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong

|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong

|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|     compressors:

|       NULL

|_  least strength: strong

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 17.69 seconds

Does anyone have experience with it?

Thanks in advance.

Best regards,

Mizső

Dynatrace Community RockStar 2024, Certified Dynatrace Professional
Labels:
0 Kudos
Reply
10 REPLIES 10

Go to solution
Babar_Qayyum
DynaMight Guru
DynaMight Guru

‎31 Jan 2023 01:29 PM - edited ‎31 Jan 2023 01:35 PM

Hello @Mizső 

If I am not mistaken. You will have to change the configuration in the custom.properties file to exclude the unwanted ciphers.

Regards,

Babar

0 Kudos
Reply

Go to solution
Mizső
DynaMight Guru
DynaMight Guru
In response to Babar_Qayyum

‎31 Jan 2023 02:22 PM

Hi @Babar_Qayyum,

Above mentioned configuration changes were made in the CAG custom.properies file.

Best regards,

Mizső

Dynatrace Community RockStar 2024, Certified Dynatrace Professional
0 Kudos
Reply

Go to solution
Babar_Qayyum
DynaMight Guru
DynaMight Guru
In response to Mizső

‎31 Jan 2023 05:17 PM

Hello @Mizső 

I pointed out the file after reading "We always made a change in the CAG config.properties file. " the statement. 

I remember that I have already excluded weak or unwanted ciphers. I will check tomorrow to share with you the exact method. 

Regards,

Babar

0 Kudos
Reply

Go to solution
Mizső
DynaMight Guru
DynaMight Guru
In response to Babar_Qayyum

‎31 Jan 2023 05:57 PM

Hi @Babar_Qayyum,

It would be nice.

In my original post I made a typo. So we also made a change is custom.properties file, we followed the documnetation.

Best regards,

Mizső 

Dynatrace Community RockStar 2024, Certified Dynatrace Professional
0 Kudos
Reply

Go to solution
Babar_Qayyum
DynaMight Guru
DynaMight Guru
In response to Mizső

‎01 Feb 2023 07:36 AM

Hello @Mizső 

The following is configured in the custom.properties. Did you restart the cluster after the configurtion?

[com.compuware.apm.webserver]
ssl‑protocols = TLSv1.2
excluded-ciphers = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Regards,

Babar

0 Kudos
Reply

Go to solution
Mizső
DynaMight Guru
DynaMight Guru
In response to Babar_Qayyum

‎01 Feb 2023 07:42 AM

Hi Babar,

Many thans for your switf response.

There were a restart but only process level not host level.

systemctl stop dynatracegateway

systemctl start dynatracegateway

I am going to try to restart the cluster active gate host after the configuration.

Best regards,

Mizső

Dynatrace Community RockStar 2024, Certified Dynatrace Professional
0 Kudos
Reply

Go to solution
Mizső
DynaMight Guru
DynaMight Guru

‎02 Feb 2023 06:03 PM - edited ‎02 Feb 2023 06:03 PM

Hi @Babar_Qayyum,

It is solved. There was a problem with the affected AG. Somehow the clinet istalled an Apache to this AG host beside the DT components. I did not expect this. There was not hardening on the Apache thats why we saw the 3ds chiper suits with nmap. Finally Apache have been disabled and problem solved... 😉

Thanks for your support.

Best regards,

Mizső

Dynatrace Community RockStar 2024, Certified Dynatrace Professional
Reply

Go to solution
Babar_Qayyum
DynaMight Guru
DynaMight Guru
In response to Mizső

‎02 Feb 2023 06:36 PM

Hello @Mizső 

Thank you for sharing the update 🙂

Regards,

Babar

0 Kudos
Reply

Go to solution
AntonioSousa
DynaMight Guru
DynaMight Guru

‎03 Feb 2023 08:43 AM

@Mizső,

For clients with important security needs, the list that @Julius_Loman compiled is awesome:
https://community.dynatrace.com/t5/Dynatrace-tips/Public-endpoint-for-the-Cluster-ActiveGate/td-p/20...

Antonio Sousa
Reply

Go to solution
Mizső
DynaMight Guru
DynaMight Guru

‎03 Feb 2023 08:49 AM

Hi @AntonioSousa,

Thanks very much. The link marked as favourite in my browser. 😉

Best regards,

Mizső

Dynatrace Community RockStar 2024, Certified Dynatrace Professional
0 Kudos
Reply
Ask a question

Featured Posts