How to disable an encryption cipher on the CSA (Cloud Service Appliance)

Version 10

    Verified Product Versions

    Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.xEndpoint Manager 2018.x

    Issue:

    A security administrator would like to disable a specific cipher on the CSA because internal vulnerability scans may have identified it as undesired. 3DES on port 443 is a common flag (Scroll to the bottom).

     

    undesired cipher.PNG

     

    General Solution:

    (Make sure you copy your preexisting encryption cipher to an external document just in case you need to revert back. Communication to Ivanti agents from the core could be lost with the modification of the ciphers)

    1) While logged into the Cloud Service Appliance > Gateway Service Configuration > Encryption Ciphers. Comment out the cipher by placing a "!" at the beginning of the string containing the offending encryption without the quotes. (See example below)

    2) Save changes

    3) Remove the self-signed certificate

    • Click Manage LDMG Certificate in the left column
    • Locate any self-signed certificates and remove them. (They will rebuild themselves on reboot)

    4) Reboot the CSA

     

     

    Recommend Ciphers:

    EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DSS:!MD5:!PSK:!RC4:!ADH:!IDEA

     

     

    Full Example:

    How to comment out 3DES on port 443:

     

    LANDesk's default encryption cipher (CSA ver. 176-182):

    EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DSS:!MD5:!PSK:!RC4:!ADH:!IDEA

     

    Edited encryption cipher: (Notice the red exclamations. There should be 3 total added by the administrator to comment out 3DES)

    EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DSS:!MD5:!PSK:!RC4:!ADH:!IDEA