Symptoms
Affected Products:
- Dell Security Management Server
- Dell Data Protection | Enterprise Edition
- Dell Security Management Server Virtual
- Dell Data Protection | Virtual Edition
Cause
Not Applicable
Resolution
- Dell Security Management Server
- Dell Security Management Server Virtual
During the initial Enterprise Edition install, after we have input the SQL hostname and database name, the following errors appear:
Dell Security Management Server
-
Disable RC4/DES/3DES cipher suites in Windows using registry, Group Policy Object (GPO), or local security settings.
-
You can do this using GPO or Local security policy under Computer configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order.
-
Set this policy to enable. Each cipher suite should be separated with a comma. Remove as needed based on the list below.
-
To disable based on registry, reference this article:
-
-
Modify the Compliance Reporter settings to only allow modern cipher suites at this location:
\Dell\Enterprise Edition\Compliance Reporter\conf\eserver.properties
-
Set
-
eserver.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
- Save;
-
Modify the Console Web Services settings to only allow modern cipher suites at this location:
\Dell\Enterprise Edition\Console Web Services\conf\eserver.properties
Note: Starting in 9.2 the console web service is no longer present.
- Set
eserver.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
- Save
-
Modify the Device Server settings to only allow modern cipher suites at this location:
\Dell\Enterprise Edition\Device Server\conf\spring-jetty.xml
-
Update the list in this section to exclude the vulnerable cipher suites. A list of suggested excluded cipher suites below.
-
Save
-
-
Modify the Security Server settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Security Server\conf\spring-jetty.xml
-
Update the list in both sections to exclude the vulnerable cipher suites. A list of suggested excluded cipher suites below.
-
Save
-
-
If Windows settings were changed, reboot back-end DDP|E server. If Windows settings were not changed, stop all DDP|E Windows services, and then start the services again.
-
Check for any stopped services.
-
Test new endpoint activation
-
Test a Remote Management Console thick client (if TLS1.0 is enabled in Windows).
-
Test Silverlight Console
Windows Secure Cipher Suites suggested inclusion list
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P521TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256TLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
Jetty Weak Cipher Suites suggested Exclusion list
<list><value>SSL_RSA_WITH_RC4_128_MD5</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value><value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_RSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_MD5</value><value>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</value></list>
Note: For more information, reference How to Disable TLS 1.0 and TLS 1.1 on Dell Security Management Server and Dell Security Management Server Virtual.
Dell Security Management Server Virtual
-
Modify the Compliance Reporter settings to only allow modern cipher suites at this location:
/opt/dell/server/reporter/conf/eserver.properties
-
Set
-
eserver.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
- Save
-
Modify the Console Web Services settings to only allow modern cipher suites at this location:
/opt/dell/server/console-web-services/conf/eserver.properties
Note: Starting in 9.2 the console web service is no longer present.
- Set
eserver.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
-
Save
- Modify the Device Server settings to only allow modern cipher suites at this location:
/opt/dell/server/security-server/conf/spring-jetty.xml
- Update the list in this section to exclude the vulnerable cipher suites. A list of suggested excluded cipher suites below.
- Save
- Modify the Security Server settings to only allow modern cipher suites at this location:
/opt/dell/server/security-server/conf/spring-jetty.xml
-
Update the list in both sections to exclude the vulnerable cipher suites. A list of suggested excluded cipher suites below.
- Save
- Reboot the DDP | VE server.
- Check for any stopped services.
- Test new endpoint activation
- Test a Remote Management Console thick client (if TLS1.0 is enabled in Windows).
-
Note: For more information, reference How to Disable TLS1.0 and TLS1.1 on Dell Security Management Server and Dell Security Management Server Virtual.
Jetty Weak Cipher Suites suggested Exclusion list.
<list><value>SSL_RSA_WITH_RC4_128_MD5</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value><value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_RSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_MD5</value><value>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</value></list>
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.