Configuring protocols and ciphers for zones 2 and 3

This procedure describes how to configure SSL connections for zones 2 and 3 to work with specific protocols and ciphers.

NOTE: BMC recommends to use the TLSv1.2 protocol on all your components, as it is much more secure than the deprecated SSLv3, and TLSv1.0 protocols.

For each SSL connection, the same protocols and ciphers must be configured on both components that acts as the client and server for the connection.

To use more than one cipher, use a space to separate them.

To configure protocols and ciphers for zones 2 and 3:

1. For each connection, run the following command on both the client and server computers:

   openssl ciphers -V

   The ciphers that appear on both computers can be used for the connection.

2. Filter for the allowed ciphers according to the secured protocol, by running the following commands:
   • openssl ciphers -V TLSv1.2
   • openssl ciphers -V SSLv3
   • openssl ciphers -TLS 1.0
3. Do one of the following:
   • UNIX: Edit the relevant policy file, as described UNIX environment.
   • Windows: Edit the relevant policy file, as described in Microsoft Windows environment.
4. Edit the provider_options field, as follows:
   1. SSLProtocol=<desired protocol>, where <desired protocol> can be one or more of the following protocols:
      • * TLS1_2
      • * TLS1
      • * SSLv3
   2. After the last specified protocol, add a comma (,), and then the cipher suite specifier.

      For TLS1_2 protocol, the cipher suite specifier is TLSCipherSuite=. For SSLv3, and TLS1 protocols, the cipher suite specifier is SSLV3CipherSuite=. Then, specify the list of ciphers exactly as they appear in the available cipher list above.

      The cipher suite specifier and list of ciphers must be specified for each specified protocol.

5. Verify in Control-M/Server and Control-M/Agent that the opensslciphers2java.txt file includes the cipher name with the mapping of openssl to java ciphers names by running the following command:

   openssl ciphers -stdname | grep <cipher name>

6. Restart the relevant component.

   EXAMPLE:

   • TLS1_2 protocol: provider_options=SSLProtocol=TLS1_2,TLSCipherSuite=ECDH-RSA-AES256-SHA384 ECDH-RSA-AES256-GCM-SHA384
   • TLS1 protocol: provider_options=SSLProtocol=TLS1,SSLV3CipherSuite=DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA
   • SSLv3 protocol: provider_options=SSLProtocol=SSLv3,SSLV3CipherSuite=DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA

   NOTE:

   • Several protocols and cipher suites can be configured in the server section, while only one protocol and cipher suite can be configured in the client section.
   • Before defining the client side for the connection between Control-M/Agent and remote hosts, see Modifying SSL configuration between Control-M/Agent and Remote hosts.
   • All ciphers with SHA256 can be used only with TLS1_2 protocol.
   • If you work on a Control-M/Server installed on AIX and you plan to use Advanced Encryption Standard (AES) ciphers, you must configure the system to work with the TLS1 SSL protocol.