5.3 Advanced Security Topics

Open the Formula.custom.properties file in the Operations Center server, and uncomment and edit the following list to control cipher suites for all SSL connections (outside Apache Tomcat):

#com.mosol.ssl.enabledCipherSuites=\
# SSL_RSA_WITH_RC4_128_MD5,\
# SSL_RSA_WITH_RC4_128_SHA,\
# TLS_RSA_WITH_AES_128_CBC_SHA,\
# TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\
# TLS_DHE_DSS_WITH_AES_128_CBC_SHA,\
# SSL_RSA_WITH_3DES_EDE_CBC_SHA,\
# SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,\
# SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,\
# SSL_RSA_WITH_DES_CBC_SHA,\
# SSL_DHE_RSA_WITH_DES_CBC_SHA,\
# SSL_DHE_DSS_WITH_DES_CBC_SHA,\
# SSL_RSA_EXPORT_WITH_RC4_40_MD5,\
# SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,\
# SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,\
# SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,\
# SSL_RSA_WITH_NULL_MD5,\
# SSL_RSA_WITH_NULL_SHA,\
# SSL_DH_anon_WITH_RC4_128_MD5,\
# TLS_DH_anon_WITH_AES_128_CBC_SHA,\
# SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,\
# SSL_DH_anon_WITH_DES_CBC_SHA,\
# SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,\
# SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,\
# TLS_KRB5_WITH_RC4_128_SHA,\
# TLS_KRB5_WITH_RC4_128_MD5,\
# TLS_KRB5_WITH_3DES_EDE_CBC_SHA,\
# TLS_KRB5_WITH_3DES_EDE_CBC_MD5,\
# TLS_KRB5_WITH_DES_CBC_SHA,\
# TLS_KRB5_WITH_DES_CBC_MD5,\
# TLS_KRB5_EXPORT_WITH_RC4_40_SHA,\
# TLS_KRB5_EXPORT_WITH_RC4_40_MD5,\
# TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,\
# TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5

For connections to the Operations Center Dashboard, modify the dashboard server.xml file, which is located in the /OperationsCenter_Dashboard_install_path/server/config and /OperationsCenter_Dashboard_install_path/server/template directories, to include the ciphers wish.

For example:

<Connector port="7443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
ciphers="SSL_RSA_WITH_DES_CBC_SHA,SSL_RSA_WITH_NULL_MD5,TLS_KRB5_WITH_RC4_128
_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"
keystoreFile="conf/keystore" keystorePass="formula"
URIEncoding="UTF-8" />

Stop and restart the Operations Center for the changes to take effect.

Open the Operations_Center_install_path/NOC/config/Formula.custom.properties file and set the following properties:

To control protocol versions for all SSL connections (outside Apache Tomcat), uncomment and edit the following list:

#com.mosol.ssl.enabledProtocols=\
# SSLv2Hello,\
# SSLv3,\
# TLSv1

Stop and restart the Operations Center for the changes to take effect.

Open the Operations_Center_install_path/NOC/config/Formula.custom.properties file and set the following properties:

The server certificate is checked to verify that it is trusted and active during the SSL handshake. A certificate validator extends the basic SSL certificate validation and ensures that the server certificate matches the hostname of the server that provided it..

To disable the default validation, set this property to NONE.

When client certificate authentication is enabled (sslWithClientAuth), the client certificate is checked to that it is trusted and active during the SSL handshake. A certificate validator extends the basic SSL certificate validation and ensures that the client certificate matches the hostname of the client that provided it.

To disable the default validation, set this property to NONE.

Stop and restart the Operations Center for the changes to take effect.

Set the following property in the Operations_Center_install_path/NOC/config/Formula.custom.properties file:

To configure this setting, precede the hostname or IP address of each CMS/dashboard server that accesses this interface with a plus sign (+), and separate the entries with a semicolon (;). For example:

mymo.rmi.acl=+devtower10;+qasun1;

Stop and restart the Operations Center for the changes to take effect.