Solved: Re: UAG supported cipher suites

BenFB · ‎09-19-2017

We are looking for confirmation on the cipher suites that can be configured on a UAG. We have TLS 1.0/1.1 disabled so we are only using TLS 1.2. According to Using PowerShell to Deploy VMware Unified Access Gateway and comparing to our UAG 3.0 these are the default cipher suites.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

The connection server documentation (Default Global Policies for Security Protocols and Cipher Suites) states that the following ciphers are supported.

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

Our security team is requiring that we disable all AES 128 ciphers and only use elliptical curve (ECDHE) which leaves us with the following.

UAG

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Connection Server

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

We've also been told that GCM is preferred as it performs better than CBC. So in a perfect world we would only use TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 but it's not one of the listed protocols for the UAG. We've found that it can be configured on the UAG but it can't be the only cipher. So I could do the following on the UAG and Connection servers but I'm unsure if this actually works.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Our connection servers are restricted to only use TLS 1.2 and the following cipher suites.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TL;DR

Will the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite work on a UAG?

Is it possible to only use TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 on the UAG and connection server or are a minimum of two needed?

Why do the UAG and Connection Servers support different ciphers?

BenFB · ‎09-22-2017

I already have a support request open and they are aware of this post. I actually received an answer yesterday that you can change to any combination of cipher suites as long as they are compatible with horizon server and its components.

View solution in original post

mhampto · ‎09-22-2017

This an in depth question and if possible please raise an Support Request to engage the security team to see the support of this setup.

BenFB · ‎09-22-2017

I already have a support request open and they are aware of this post. I actually received an answer yesterday that you can change to any combination of cipher suites as long as they are compatible with horizon server and its components.

ScubaDie · ‎05-09-2018

Do you know if there is a way to change the ciphers when you deploy the UAG via powershell with the ini file. It would be much easier to change it during the deployment and not have to log into it and remove the ciphers you don't want.

BenFB · ‎05-10-2018

Unfortunately there is not a way to set the cipher suites when deploying the UAG. I hope that will be added in a future release. As of now after deploying a UAG I manually change the cipher suites.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

markbenson · ‎08-13-2018

You specify cipherSuites= in the .INI file. However the general recommendation is to leave it with the default settings which scores a straight "A" rating with a Qualys SSL server test/scan.

This gives the best combination of broad compatibility with clients and good security.

ccostan · ‎08-13-2018

I did have to make some changes for an A+ Rating.

https://www.vcloudinfo.com/2018/08/how-to-get-a-from-qualys-ssllabs-on.html

Carlo Costanzo | http://www.VMwareInfo.com | @ccostan

BenFB · ‎08-22-2018

Thank you markbenson, this is great news! Are you planning to update Using PowerShell to Deploy VMware Unified Access Gateway to include that option?

Are there any other "undocumented" settings we can leverage? I've been looking for a way to do the following during deployment instead of manually post deployment.

System Configuration

-Disable TLS 1.1

Horizon Settings

-Disable UDP Tunnel Server

-Disable HTML Access "NO" to "YES"

BenFB · ‎08-29-2018

markbenson I tried "ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" but still ended up with the following ciphers.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA

markbenson · ‎08-29-2018

Check you are using the latest version of the scripts.

Check admin.log

If you still have problems with this PM me and send me your .ini.

This works for me, so there must be some difference. You can always look at the script to check what gets applied.

BenFB · ‎08-29-2018

markbenson

I'm using the latest UAG 3.3.1 using the bundled scripts from the download. I tried supplying the ciphers comma separated and space separated like DNS servers with the same results.

Here is a snipped from admin.log after the UAG is up. I removed all sensitive data.

08/29 21:21:32,011[main]INFO gateway.ServerLauncher[logStarting: 48]: Starting ServerLauncher on photon-machine with PID 1950 (/opt/vmware/gateway/lib/admin-3.3.1.0-exec.jar started by gateway in /opt/vmware/gateway)
08/29 21:21:39,929[main]INFO config.Config[persistUAGVersion: 368]: Writing UAG version to /opt/vmware/gateway/logs/rpm-version.log
08/29 21:21:40,444[main]INFO utils.InetAddressUtils[getRealInetAddress: 76]: Returning loopback address: localhost/127.0.0.1
08/29 21:21:40,468[main]INFO config.Config[persistSystemSettingsFromPropertiesFile: 224]: Admin starting in mode: STATICV4
08/29 21:21:40,633[main]INFO zookeeper.BaseZookeeperRepository[save: 56]: Setting config changes:tlsPortSharingEnabled:(null->true) - productVersion:(null->3.3.1) - fipsEnabled:(null->false) - hypervisor:(null->vmware) - collectorId:(null->UAG_3.2) - class:(null->class com.vmware.euc.gateway.edgeservice.sdk.config.UAGGlobalData) - collectorInstanceId:(null->uag-bf4e45c1-9c1d-4c0f-bb73-f0477c4997e5) - productName:(null->Unified Access Gateway) -
08/29 21:21:40,643[main]INFO config.Config[afterPropertiesSet: 191]: Successfully set initial settings from firstboot.properties
08/29 21:21:41,088[main]INFO zookeeper.BaseZookeeperRepository[save: 56]: Setting config changes:ipv6Prefix0:(null->) - diskMode:(null->) - ipv6Prefix2:(null->) - ipv6Prefix1:(null->) - source:(null->) - ds:(null->) - ip0AllocationMode:(null->STATICV4) - deploymentOption:(null->twonic) - forceNetmask0:(null->255.255.255.0) - forceNetmask1:(null->255.255.255.0) - v6DefaultGateway:(null->) - class:(null->class com.vmware.euc.gateway.edgeservice.sdk.config.GeneralSettings) - internetDns:(null->) - forceNetmask2:(null->) - forwardRules:(null->) - gateway0:(null->) - gateway1:(null->) - netInternet:(null->) - dns:(null->X.X.X.X X.X.X.X) - forceIpv6Prefix0:(null->) - ip0:(null->X.X.X.X) - forceIpv6Prefix1:(null->) - forceIpv6Prefix2:(null->) - ip2:(null->) - ip1:(null->X.X.X.X) - defaultGateway:(null->X.X.X.X) - target:(null->) - routes1:(null->X.X.X.X/8 X.X.X.X) - netmask0:(null->255.255.255.0) - routes0:(null->) - netManagementNetwork:(null->) - v6ip2:(null->) - netBackendNetwork:(null->) - ipMode2:(null->) - ipMode0:(null->IPv4) - name:(null->) - ipMode1:(null->IPv4) - ip1AllocationMode:(null->STATICV4) - netmask1:(null->255.255.255.0) - routes2:(null->) -
08/29 21:21:41,468[main]INFO pki.CertificateManager[dn: 310]: host name is: X.X.X.X
08/29 21:21:41,469[main]INFO pki.CertificateManager[createSelfSignedCertIfNeeded: 221]: Certificate already exists for alias httpproxyalias, not creating self signed cert
08/29 21:21:41,703[main]INFO service.SystemSettingsService[createOrUpdateSystemSettings: 189]: No Change in protocols or cipher suites
08/29 21:21:41,761[main]INFO zookeeper.BaseZookeeperRepository[save: 56]: Setting config changes:authenticationTimeout:(null->300000) - fipsEnabled:(null->false) - uagName:(null->uag-b4b70607-7320-446e-9a4f-b7b1fbfa623d) - locale:(null->en_US) - ipMode:(null->STATICV4) - requestTimeoutMsec:(null->10000) - tls12Enabled:(null->true) - ipModeforNIC2:(null->STATICV4) - clientConnectionIdleTimeout:(null->360) - tls11Enabled:(null->true) - adminCertRolledBack:(null->false) - tls10Enabled:(null->false) - cookiesToBeCached:(null->none) - honorCipherOrder:(null->true) - class:(null->class com.vmware.euc.gateway.edgeservice.sdk.config.SystemSettings) - adminPassword:changed (sensitive) - healthCheckUrl:(null->/favicon.ico) - quiesceMode:(null->false) - syslogUrl:(null->syslog://X.X.X.X:514) - ceipEnabled:(null->true) - tlsPortSharingEnabled:(null->true) - bodyReceiveTimeoutMsec:(null->15000) - monitorInterval:(null->60) - cipherSuites:(null->TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA) - adminPasswordExpirationDays:(null->0) - httpConnectionTimeout:(null->120) - sessionTimeout:(null->none) - defaultRedirectHost:(null->X.X.X.X) - ssl30Enabled:(null->false) -
08/29 21:21:41,803[main]INFO service.SettingsService[createAdminUserSettings: 352]: Creating the root admin account...
08/29 21:21:41,806[main]INFO service.AdminUserService[addAdminUser: 103]: Attempting to create the admin user: admin
08/29 21:21:41,887[main]INFO service.SystemSettingsService[createOrUpdateSystemSettings: 189]: No Change in protocols or cipher suites
08/29 21:21:41,963[main]INFO utils.KeystoreUtilities[<init>: 85]: Fips provider not loaded, BCFKS keystore will not be available.
08/29 21:21:43,735[main]INFO zookeeper.BaseZookeeperRepository[save: 56]: Setting config changes:password:changed (sensitive) - roles:(null->[ROLE_ADMIN]) - name:(null->admin) - class:(null->class com.vmware.euc.gateway.edgeservice.sdk.config.AdminUser) - userId:(null->99fdba8b-bee9-4337-8111-baf66d8b5cd5) - enabled:(null->true) - adminPasswordSetTime:(null->2018-08-29T21:21:41.862Z[Etc/UTC]) -
08/29 21:21:43,824[main]INFO service.SystemSettingsService[createOrUpdateSystemSettings: 189]: No Change in protocols or cipher suites

markbenson · ‎08-29-2018

Oh sorry. It should be cipherSuites=

I've corrected my earlier comment. Thanks for pointing this out.

BenFB · ‎08-29-2018

markbenson

That worked, thank you!

By chance is there a deployment setting for the following? These are now the only two steps I have to do manually post deployment.

-Disable TLS 1.1

-Disable HTML access (We have HTML access disabled on the connection servers so I'm wondering if this is necessary)

It would be nice to see this as an option. Sometimes a user will login before I'm ready and then they get disconnected when I disable TLS 1.1.

-Boot with quiesce mode enabled.

I've noticed two things that aren't getting set correctly on 3.3.1.

-The UAG name is being ignore from the INI and set to a random value (e.g. uag-2c5cab74-77fc-4bda-a86d-a32da99dd8d3 in the admin UI and photon-machine in the OS)

-I'm disabling CEIP during the deployment but it still shows enabled in the admin UI.

Sumeet_Soni · ‎12-05-2022

Need help with disabling TLS 1.1

How can I change it as unable to find file java.security under /usr/java/jre-vmware/lib/security

UAG version is v21.03.1

All

UAG supported cipher suites

Workspace ONE Access