(SA) Support Tip: How to control the encryption cipher list of SA agents

A new feature was introduced in Server Automation agents on 10.60 and backported via a rollup on 10.51 which exports the "cipherlist" argument that allows us to control the cipher suites which we want to use.

The new argument can be found in:

/etc/opt/opsware/agent/agent.args (for UNIX)

C:\Program Files\Common Files\Opsware\etc\agent\agentservice.args (for Windows)

and it's default value should differ for the s corresponding SA version.

Upon modifying the cipherlist values, an agent restart will surely be required.
To get a list of ciphers that can potentially fit in the cipherlist argument, you should look at the SA-provided openssl tool for more information:

$ /opt/opsware/bin/openssl ciphers

Upon modifying the list, please restart the agent and make sure to make a few basic tests.
Afterwards, it would be wise to use a scanning tool that can report the active cipherlist which the agent currently supports. You may use whatever utility you prefer for such scans. One example for such a tool is Mozilla's Cipherscan tool:

https://github.com/mozilla/cipherscan

Upon modifying the list, please restart the agent and make sure to make a few basic tests afterwards.
To verify that you have applied the settings, you can use the Web UI of the agent service:

https://<agent_IP>:1002/

but you need to be aware of two things:

* you will need spin-developer.p12, located in /var/opt/opsware/crypto/spin/spin-developer.p12
* you may hit a cipher that your browser doesn't support or has disabled. Internet Explorer may come in handy here.

Bogomil Vasilev,
Engineer, Customer Support

Tags:

  • We also ranthe following command to test the agent on port 1002 for Cipher and TLS version before and after making the change to the agentservice.arg:

    # nmap --script ssl-enum-ciphers -p 1002  <ip_of_managed_server>

    Starting Nmap 6.40 ( http://nmap.org ) at 2017-12-20 07:42 EST

    Nmap scan report for hostname.hello.com (ip_of_managed_server)

    Host is up (0.11s latency).

    PORT     STATE SERVICE

    1002/tcp open  windows-icfw

    | ssl-enum-ciphers:

    |   TLSv1.2:

    |     ciphers:

    |       TLS_RSA_WITH_AES_128_CBC_SHA - strong

    |       TLS_RSA_WITH_AES_256_CBC_SHA - strong

    |     compressors:

    |       NULL

    |_  least strength: strong

     

    Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds

  • Please, could you add the example of cipher parameter and options for Windows and Unix agent configuration files ?   

    checking the C:\Program Files\Common Files\Opsware\etc\agent\agentservice.args file it doesnt have the chipersuite configuration parameter.

    thanks in advance.

    Manuel.

  • Was this ever resolved?

    Have several windows server failing a security audit because of port 1002 and 3DES Cypher still in use by opsware. Can this be corrected on a windows server, and what changes need to be made to do so?

  • Suggested Answer

    Hi William,

    What version of SA agents are you running?

    We made the cipherlist configurable [via agentservice.args] in the SA agents back in 2017. Support for this was rolled out to SA agents starting with version 10.51 at the time, however some older ciphers were left in the default list for backwards compatibility.


    Our current list of default ciphers on the 2020.11 SA agents is:

    cipherlist: [ 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384' ]