How To Disable SSLv3 on TPD servers on Performance Intelligence Center (PIC)

Asset ID:	1-71-2196837.1
Update Date:	2016-10-26
Keywords:

Solution Type Technical Instruction Sure

Solution 2196837.1 : How To Disable SSLv3 on TPD servers on Performance Intelligence Center (PIC)

Applies to:

Oracle Communications Performance Intelligence Center (PIC) Software - Version 10.2.0 and later
Information in this document applies to any platform.

Goal

On TPD servers with Performance Intelligence Center (PIC) application the httpd and openssl packages are installed even if they are not used.

Per default configuration the SSLv3 protocol is active even if it cannot be used as httpd is disabled.

THis KM explains how to disable SSLv3.

Solution

Procedure:

Login as admusr on the IMF server
Edit /etc/httpd/conf.d/ssl.conf with the following commad:
sudo vim /etc/httpd/conf.d/ssl.conf
Replace the following line: "SSLProtocol all -SSLv2" with "SSLProtocol -all +TLSv1"
Replace the following line: "SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES" with "SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv3:RC4+RSA:+HIGH+MEDIUM"
Save and exit vim with :x!
Reboot the server

Note that the command "openssl ciphers -v | awk '{print $2}' | sort | uniq" will still list SSLv3 in the results as it is not meant to provide the active ciphers but only the ones supported by the openssl release installed on the system.

As http is not running and is disabled, the sslv3 cannot be used and with the modifications described above it is disabled even if httpd was started.

Attachments

This solution has no attachment