Disable the use of RC4 cipher for Exinda web UI

Overview

To disable the Exinda's use of RC4 cipher for HTTPS management of the device, please contact Exinda Support. This process requires access to restricted commands.

Internal Notes

RC4 cipher has known vulnerabilities and some customers would prefer to have it disabled. Here are the instructions:

Enter shell, run:
remountrw

Then edit the following files:
/opt/tms/lib/md/templates/httpd.conf
/var/opt/tms/output/httpd.conf

In the template file change:
@SSLComment@SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

To:
@SSLComment@SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5


In the output file, change:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

To:
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5

Then restart httpd from cli - pm process httpd restart.

To confirm, you can install an nmap binary on Windows to scan the Exinda to see what ciphers are available:

nmap --script ssl-cert,ssl-enum-ciphers -p 443 <address of exinda>

Check for RC4 in the output, there should be none.