To address the vulnerabilities exploited by the SWEET32 Birthday attack (CVE-2016-2183),
IBM Planning Analytics 2.0.9.5 has enabled the restriction of payload size to 32GB via GSKit.
However, the DES and 3DES ciphers will continue to be available and will show up as false positives
on security scans. To prevent these false positives, remove the DES and 3DES ciphers from your
Planning Analytics configuration.
About this task
The configuration changes described here are applicable only to Planning Analytics
Workspace Local. You do not have to make any modifications to Planning Analytics Workspace on
Cloud.
Procedure
-
Stop all of the TM1 Server database services and the TM1 Admin Server service in your
environment.
- Open Cognos Configuration for the TM1 Admin Server service and set the following ciphers
in the Supported Cipher Suites
property:
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
![Cipher settings](images/Paw_cipher_settings.jpg)
- Add the following line to the Tm1s.cfg file for each TM1 Server
database:
tlsCipherList=TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- Start the TM1 Admin Server service and all of your TM1 Server database
services.