How to exclude SSL, TLS methods in GroupWise Mobility Service

  • Document ID:7021088
  • Creation Date:12-Jul-2017
  • Modified Date:12-Jul-2017
    • Micro Focus Products:
      GroupWise Mobility Service

Environment

Novell GroupWise Mobility Service 2014 R2
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11

Situation

Need to disable TLS 1.0 for GroupWise Mobility to meet PCI compliance
Disable insecure security protocols in GMS
How to block communication from older protocols

Resolution

Please Note: In order to modify methods that are used, Mobility needs to be on 14.2.1 HP2 or later
Also Note: Disabling protocols newer than TLSv1 should not be done in SLES 11.  TLSv1.1 and above is not possible due to the OS openssl limitations
  1. Stop Mobility by typing rcgms stop
  2. Modify the configengine.xml to add the necessary configuration
    • Navigate to /etc/datasync/configengine
    • Modify the configengine.xml
    • In the <config><configengine> area, add the section below
         <sslConfig>
                <excludeMethods>X</excludeMethods>
                <includeCiphers></includeCiphers>
          </sslConfig>
      Note: This can be put in near that bottom of the file, just above </configengine>
  3. Replace X to method(s) that should be excluded
    The methods are:
    SSL.SSLv2_METHOD = 1
    SSL.SSLv3_METHOD = 2
    SSL.SSLv23_METHOD = 3
    SSL.TLSv1_METHOD = 4
    SSL.TLSv1_1_METHOD = 5
    SSL.TLSv1_2_METHOD = 6
    EG: <excludeMethods>4,5</excludeMethods> would exclude TLSv1 and TLSv1_1
    Note: SSLv3 and older is disabled by the OS and should not be needed

  4. Start Mobility by typing rcgms start
  5. Verify desired method(s) are disabled or enabled:
    • openssl s_client -connect gms_fqdn:443 -ssl3 for sslv3
    • openssl s_client -connect gms_fqdn:443 -tls1 for tlsv1
    • openssl s_client -connect gms_fqdn:443 -tls1_1 for tlsv1_1
    • openssl s_client -connect gms_fqdn:443 -tls1_2 for tlsv1_2
      Disabled Method(s): Return with incomplete results and have a line near the top - no peer certificate available
      Enabled Method(s): Returns with certificate information and handshake results


Additional Information

Modifying ciphers that enabled methods will use can be modified by inputting all desired allowed ciphers in the <includeCiphers></includeCiphers> tag.  More information can be found in TID 7016396