How to modify ciphers that are used in GroupWise Mobility Service

  • 7016396
  • 06-Apr-2015
  • 03-Oct-2018

Environment

Novell GroupWise Mobility Service 2014 R2
Novell GroupWise Mobility Service 2.1

Situation

Modify ciphers that are used in GroupWise mobility
Need to modify ciphers for PCI compliance
Disable RC4 ciphers in mobility
Security scans saying RC4 ciphers are enabled

Resolution

  1. Stop Mobility by typing rcgms stop
  2. Modify the configengine.xml to add the necessary configuration
    • Navigate to /etc/datasync/configengine
    • Modify the configengine.xml
    • In the <config><configengine> area, add the section below
         <sslConfig>
                <excludeMethods></excludeMethods>
                <includeCiphers>X</includeCiphers>
          </sslConfig>

      Note: This can be put in near that bottom of the file, just above </configengine>
  3. Replace X with ciphers(s) that should be included

    Example of entry that would disable weak RC4 ciphers:


    <sslConfig>
    <excludeMethods></excludeMethods>
    <includeCiphers>DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:ECDHE-RSA-AES128-SHA:ECDH-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:EDH-DSS-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-RC2-CBC-MD5</includeCiphers>
    </sslConfig>


  4. Start Mobility by typing rcgms start
  5. Verify an acceptable cipher is being used by looking at the Cipher line returned from one of the commands below that is applicable to the server SSL, TLS method(s) on the server
    • openssl s_client -connect gms_fqdn:443 -tls1 for tlsv1
    • openssl s_client -connect gms_fqdn:443 -tls1_1 for tlsv1_1
    • openssl s_client -connect gms_fqdn:443 -tls1_2 for tlsv1_2

    Note: If changing the SSL, TLS method(s) being used is desired.  Directions can be found in TID 7021088

Additional Information

To show all compatible ciphers on SLES, use the command openssl ciphers -ssl

If needing to resolve a security concern, it is first suggested to upgrade to the latest version, GroupWise Mobility Service 2014 R2 Support Pack 2 Hot Patch 1 (at the time of this edit) which contains several various security fixes



If running GMS 2.0.1, a security patch that addresses this issue can be found here.  Again, upgrading to the latest version is suggested.  If further changes are needed to address cipher concerns, RC4, etc, the following steps can be followed for GMS 2.0.1
  1. Navigate to /etc/datasync/configengine/engines/default/pipelines/pipeline1/connectors/mobility/ and edit the connector.xml
  2. Insert the following entries after the <ssl>1</ssl>
    <sslMethod>4</sslMethod>
          <sslCiphers>DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA:ECDH-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:ECDHE-RSA-AES128-SHA:ECDH-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5</sslCiphers>