Disable DES and 3DES Ciphers in IBM Planning Analytics to mitigate false-positive security scans

To address the vulnerabilities exploited by the SWEET32 Birthday attack (CVE-2016-2183), IBM Planning Analytics 2.0.9.5 has enabled the restriction of payload size to 32GB via GSKit. However, the DES and 3DES ciphers will continue to be available and will show up as false positives on security scans. To prevent these false positives, remove the DES and 3DES ciphers from your Planning Analytics conﬁguration.

About this task

The configuration changes described here are applicable only to Planning Analytics Workspace Local. You do not have to make any modifications to Planning Analytics Workspace on Cloud.

Procedure

Stop all of the TM1 Server database services and the TM1 Admin Server service in your environment.

Open Cognos Configuration for the TM1 Admin Server service and set the following ciphers in the Supported Cipher Suites property:

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Add the following line to the Tm1s.cfg file for each TM1 Server database:

tlsCipherList=TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Start the TM1 Admin Server service and all of your TM1 Server database services.