DataStax Help Center

How to disable RC4 cipher (and others) in OpsCenter 6

Summary

There are a few TLS/SSL ciphers which the security community has deemed weak or insecure. Many enterprise shops have security policies which prohibit use of such ciphers. OpsCenter 6 runs on the Java Virtual Machine, and is thus subject to it's strengths and weaknesses when it comes to the default list of cipher suites supported by it's HTTPS connection.

Solution

Each JRE vendor ships a security policy file (located at JAVA_HOME/jre/lib/security/java.security) that contians a list of disabled cipher suites. The list is different depending on the version and vendor of the JRE that is being used (in fact, more recent builds of Oracle Java 8 have already disabled RC4). Fortunately, this list can be customized. The name of the property is jdk.tls.disabledAlgorithms. Here is an example that disables RC4 and a few others that are considered weak:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

Making the change in this file will affect all Java apps on the system. In an enterprise environment with strict security policies, this may be desirable. If it is not, or you do not have permissions to modify this file, you can copy it to another location, make your changes, and specify a couple of System properties in the OPSC_JVM_OPTS environment variable:

OPSC_JVM_OPTS=-Djava.security.manager -Djava.security.policy=/some/path/my.policy

For more information on this file, it's properties, and the file syntax, there are good comments and examples in the file itself. You can also read more about Java security policies in the JSSE Reference Guide.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk