A new feature was introduced in Server Automation agents on 10.60 and backported via a rollup on 10.51 which exports the "cipherlist" argument that allows us to control the cipher suites which we want to use.
The new argument can be found in:
/etc/opt/opsware/agent/agent.args (for UNIX)
C:\Program Files\Common Files\Opsware\etc\agent\agentservice.args (for Windows)
and it's default value should differ for the s corresponding SA version.
Upon modifying the cipherlist values, an agent restart will surely be required.
To get a list of ciphers that can potentially fit in the cipherlist argument, you should look at the SA-provided openssl tool for more information:
$ /opt/opsware/bin/openssl ciphers
Upon modifying the list, please restart the agent and make sure to make a few basic tests.
Afterwards, it would be wise to use a scanning tool that can report the active cipherlist which the agent currently supports. You may use whatever utility you prefer for such scans. One example for such a tool is Mozilla's Cipherscan tool:
Upon modifying the list, please restart the agent and make sure to make a few basic tests afterwards.
To verify that you have applied the settings, you can use the Web UI of the agent service:
but you need to be aware of two things:
* you will need spin-developer.p12, located in /var/opt/opsware/crypto/spin/spin-developer.p12
* you may hit a cipher that your browser doesn't support or has disabled. Internet Explorer may come in handy here.
Engineer, Customer Support