Disabling Ciphers on Exadata, SuperCluster and ZFS Storage Appliances

Asset ID:	1-71-2198093.1
Update Date:	2018-02-26
Keywords:

Solution Type Technical Instruction Sure

Solution 2198093.1 : Disabling Ciphers on Exadata, SuperCluster and ZFS Storage Appliances

Applies to:

Exadata X6-2 Hardware - Version All Versions to All Versions [Release All Releases]
Exadata Database Machine X2-8 - Version All Versions to All Versions [Release All Releases]
Exadata X3-2 Hardware - Version All Versions to All Versions [Release All Releases]
Exadata X4-2 Hardware - Version All Versions to All Versions [Release All Releases]
Exadata X5-2 Hardware - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.

Goal

Provide steps to disable ciphers on Exadata compute and cell storage nodes, SuperCluster compute nodes and ZFS Storage Appliances. These steps are especially useful when a security scan has detected a weak cipher vulnerability.

For information on disabling weak ciphers in Enterprise Manager, see Doc ID 1477287.1 (Enterprise Manager 12c) and Doc ID 2138391.1 (Enterprise Manager 13c).

Solution

Exadata Compute and Storage Nodes

The following steps can also be accomplished on Exadata Storage Server nodes in a SuperCluster.

1. Log in to the node as root.

2. Issue the following command to list the currently available ciphers.

/opt/oracle.cellos/host_access_control sshciphers -s

If the target cipher is not in the returned results, go to step 5.

If the target cipher is listed in the results, go to step 3.

3. Use the host_access_control command to disable the target cipher. The following example disables the arcfour cipher:

/opt/oracle.cellos/host_access_control sshciphers --both --disable --ciphers=arcfour

4. Check the list of ciphers again as in step 2.

If the target cipher is not in the returned results, go to step 5.

If the target cipher is still listed in the results, then something is not working correctly. Open a Service Request with Oracle Support to have the problem resolved.

5. Repeat steps 1 through 4 for each node.

After accomplishing the above steps it is important to test the configuration thoroughly, especially if EM monitoring is in use with storage cells as it uses SSH user equivalence to obtain cell information (via cellmonitor). If any problems are caused by the removal of a cipher, reverse the removal then open a Service Request with Oracle Support to have the issue resolved. The following example enables the arcfour cipher.

/opt/oracle.cellos/host_access_control sshciphers --both --enable --ciphers=arcfour

See internal Doc ID 1600288.1 for more details on using host access control.

SuperCluster Compute Nodes

Accomplish the following steps in all domains/zones where applicable.

1. Login to the node as root.

2. Edit the /etc/ssh/sshd_config file.

3. Locate the line that defines the available ciphers. For example,

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,arcfour,3des-cbc,blowfish-cbc

4. Remove the desired cipher. For example, to remove the arcfour cipher change the Ciphers line from

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,arcfour,3des-cbc,blowfish-cbc

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,blowfish-cbc

5. Save the file.

6. Restart the ssh service.

svcadm restart ssh

ZFS Storage Appliances

1. Ensure the ZFS Storage Appliance is on AK Release 2013.1.7.8 or higher. If not on AK Release 2013.1.7.8 or higher, the firmware must be updated before ciphers can be disabled. Refer to Doc ID 2021771.1 for update instructions.

2. Apply the Solution detailed in Doc ID 2334980.1.

Attachments

This solution has no attachment