Using the SEAS security script to modify cipher suites for supported SSL protocols

About this task

Use this command line script to view current settings for cipher suites and TLS versions, as configured in ssl_tls.properties. You can also use this script to your settings.

Procedure

  1. Shut down Sterling External Authentication Server.
  2. Using the command line, navigate to the /install_dir/bin directory.
  3. Run SEASCipherConfigTool.bat-?
  4. Enter your passphrase.
  5. Use the following script commands to view and update configuration settings for cipher suites and TLS versions.
    Script command Description

    UNIX: ./SEASCipherConfigTool.sh -h

    Windows: SEASCipherConfigTool -h

    		 Show usage (help) - displays available script command options, and currently supported ciphers suites for the default TLS version.

    UNIX: ./SEASCipherConfigTool.sh -s

    Windows:SEASCipherConfigTool -s

    		Show configuration - displays the cipher suites and keystores for your current configuration.

    UNIX:./SEASCipherConfigTool.sh -p

    Windows: SEASCipherConfigTool -p

    		 Show protocols - displays all supported TLS protocols.

    UNIX:./SEASCipherConfigTool.sh -c

    Windows: SEASCipherConfigTool -c

    		 Show ciphers - displays all supported cipher suites
    UNIX:
    ./SEASCipherConfigTool.sh -u <option>=<cipher suite>,<cipher suite>
    Windows: 
    SEASCipherConfigTool -u <option>=<cipher suite>,<cipher suite>
    		 Update configuration - modify the cipher suites, where <option> is the option selection you want to update and <cipher suite> is the supported cipher suite you want to add to that option.
    Note: This command replaces all cipher suites in that type with the ones stated.
    Available options:
    • eaSslProtocol=TLS protocol version to use for TLS communication
    • eaServerAlias=Key certificate alias for SEAS server TLS
    • eaClientAlias=Key certificate alias for SEAS client TLS
    • eaCiphers=<list> Cipher suites for SEAS
    For example, to update the TLS protocol version, use this command:
    SEASCipherConfigTool.sh -u eaSslProtocol=TLSv1
    To update the available ciphers, use this command:
    SEASCipherConfigTool.sh -u eaCiphers=cipher1,cipher2,cipher3
    Note: Separate cipher suites with commas, colons, or semicolons. Do not include spaces in the list of cipher suites. You can add as many as needed.
  6. Start Sterling External Authentication Server.