Enable TLS 1.2 strong cipher suites

Only applies to on-premise installations of Deep Security Manager.

This page describes how to update the Deep Security Manager, Deep Security Agent and Deep Security Relay so that they use the TLS 1.2 strong cipher suites. These cipher suites have an Advanced+ (A+) rating, and are listed in the table on this page.

Enabling strong cipher suites involves upgrading all your Deep Security components to 10.0 Update 16 or a later update. If this is not possible—for example, you're using operating systems for which a 10.0 update 16 agent is not available—see instead Use TLS 1.2 with Deep Security.

Step 1: Update Deep Security components

Step 2: Run a script to enable TLS 1.2 strong cipher suites

Step 3: Verify that the script worked

Disable TLSv1.2 strong cipher suites

Update Deep Security components

Make sure you update all components in the order listed below or else the agents will not be able to communicate with the relays and manager.

  1. Update all your manager instances to 10.0 Update 16 or a later update. For upgrade instructions, see Deploy Deep Security.
  2. Update all your relays to 10.0 Update 16 or a later update. To upgrade a relay, follow the same process as upgrading an agent:
    1. Import the latest relay software into the manager, either manually or automatically. See Update Deep Security software for details.
    2.  Upgrade the relay:
  3. Update all your agents to 10.0 Update 16 or a later update. To upgrade your agents:
    1. Import the latest agent software into the manager, either manually or automatically. See Update Deep Security software for details.
    2.  Upgrade your Deep Security Agents:

Run a script to enable TLS 1.2 strong cipher suites

  1. Copy the EnableStrongCiphers.script file available at https://github.com/deep-security/ops-tools/tree/master/deepsecurity/manager to:
    • On Windows: <Manager_root>\Scripts
    • On Linux: <Manager_root>/Scripts

    where <Manager_root> is replaced with the path to your manager's installation directory, by default:

    • C:\Program Files\Trend Micro\Deep Security Manager (Windows)
    • /opt/dsm/ (Linux)

    If you do not see a \Scripts directory, create it.

  1. Log in to the manager.
  2. Click Administration at the top.
  3. On the left, click Scheduled Tasks.
  4. In the main pane, click New.
  5. The New Scheduled Task Wizard appears.
  6. From the Type drop-down list, select Run Script. Select Only Once. Click Next.
  7. Accept the date, time, and time zone defaults and click Next.
  8. For the Script, select EnableStrongCiphers.script. Click Next.
  9. For the Name, enter a name for the script, for example, Enable Strong Cipher Suites. Make sure Task Enabled is selected. Click Run Task on ‘Finish’. Click Finish.

    The script runs.

  10. Restart the Deep Security Manager service.

    Your agents, relays, and manager should now be communicating with each other using TLSv1.2 strong cipher suites exclusively.

Verify that the script worked

To verify that the script worked, and that only strong TLS 1.2 cipher suites are permitted, you must run a series of nmap commands.

Verify the manager using nmap

Run this command:

nmap --script ssl-enum-ciphers -p 4119 <Manager_FQDN>

The output should look similar to the following, with the strong cipher suites near the middle:

Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:51 EST

Nmap scan report for <DSM FQDN> (X.X.X.X)

Host is up (0.0049s latency).

PORT STATE SERVICE

4119/tcp open assuria-slm

| ssl-enum-ciphers:

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256k1) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256k1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256k1) - A

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256k1) - A

| compressors:

| NULL

| cipher preference: client

|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 6.82 seconds

Verify the relays using nmap

Run this command:

nmap --script ssl-enum-ciphers -p 4122 <Relay_FQDN>

The output should look similar to the following, again, with the strong cipher suites listed near the middle:

Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:49 EST

Nmap scan report for <DSR FQDN> (X.X.X.X)

Host is up (0.0045s latency).

PORT STATE SERVICE

4122/tcp open unknown

| ssl-enum-ciphers:

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

| compressors:

| NULL

| cipher preference: server

|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 31.02 seconds

Verify the agents using nmap

Run this command:

nmap --script ssl-enum-ciphers -p 4118 <Agent_FQDN>

The output looks similar to the following:

Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:50 EST

Nmap scan report for <DSA FQDN> (X.X.X.X)

Host is up (0.0048s latency).

PORT STATE SERVICE

4118/tcp open netscript

| ssl-enum-ciphers:

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

| compressors:

| NULL

| cipher preference: server

|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.72 seconds

Disable TLSv1.2 strong cipher suites

If you mistakenly run the script before upgrading all of your agents, relays, or the manager, you can revert this action by doing the following:

  1. Open the configuration.properties file in <Manager_root>, and remove the line starting with ciphers. The line looks similar to the following:

    ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  2. Add the following values to the protocols field: TLSv1 and TLSv1.1. Your final property looks similar to this:

    protocols = TLSv1, TLSv1.1, TLSv1.2

  3. Save and close the file.
  4. Open the java.security file in <Manager_root>\jre\lib\security\ and remove the following two protocols from jdk.tls.disabledAlgorithms:

    TLSv1, TLSv1.1

  5. On Deep Security Manager, run the following dsm_c commands

    dsm_c –action changesetting –name settings.configuration.restrictRelayMinimumTLSProtocol –value TLSv1

    dsm_c –action changesetting –name settings.configuration.enableStrongCiphers –value false

    Your system should now be able to communicate again. If you still need to enable TLSv1.2 strong cipher suites, make sure you have upgraded all components before running the script.