AIX

Hello all,

planning to secure AIX sever by disabling insecure protocols/cipher suites; got the below requirements from secuirty team.


1.configure the server to disable support for DES and IDEA cipher suites

2.disable insecure TLS/SSL protocol support
Configure the server to require clients to use TLS version 1.2 using AEAD capable ciphers.

3.disable TLS/SSL support for RC4 ciphers

4.enable support for the below ciphers
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA



I was trying to understand the existing settings using "openssl" command options.

we do not have any web server on AIX servers(only application server and database). I believe application use its own java and SSL.
do we still need disable above settings on AIX ?

Please suggest, if anyone has already worked on these type of requirements.

How to confgiure above settings and how can we revert back if something goes wrong.


**I will try the recommended changes on lab server. its not going to affect any server/app.

Unfortunately nobody can understand what your security dept requires from you. As for me it seems that they even don't understand what they want. You have to speak with them and make clear:

1. There is no single point in a UNIX operating system, where you can enable or disable a cipher. Every application can implement its own cipher and you have no control over it.

2. There are at least 2 "cipher libraries" - IBM's GSKit and OpenSSL. OpenSSL can be IBM-compiled, Perzl-compiled, Michael Felt-compiled, Bull-compiled, and own-compiled. As far as I remember, Michael Felt also has LibreSSL for AIX, but he knows it better and he is sometimes here. This is the 3rd "cipher library", which can be used.

3. There are some places, even in AIX, which have nothing common with these libraries. E.g. password hashing is implemented using so called Loadable Password Algorithm (LPA) modules. AIX has modules for MD5, SHA1, SHA256, SHA512, Blowfish. If somebody requires some other module, they have to develop it on their own.

4. There is 3rd party software, which has their own cipher modules, and doesn't depend on libraries. The best example is OpenSSH. You can have IBM-compiled OpenSSH, or Michael's compiled OpenSSH. You can also have some other SSH-based servers and clients, e.g. Tectia SSH server. And you're right, when you speak about Java - it has its own SSL implementation.

Just to make it easy - you are not the only one, who receives such stupid requirements from people thinking they are "security professionals" and who've read yesterday for the first time in the lifes about POODLE or some other bug in OpenSSL. Your duty as a professional system administrator is to speak with them and make them clear that their requirements too inaccurate and cannot be implemented without additional information.

thanks for your reply. my team is checking with them to get more info. meanwhile, i was researching online. thought of getting experts suggestion here. I will update here, if i get any useful info. thank you.

i found something related to ciphers that affect AIX on IBM. would like to share here.

IBM - My notifications

---------- Post updated at 02:52 PM ---------- Previous update was at 02:42 PM ----------

Did you guys had a chance to re mediate these issues in your environment ? we're using java version 7 on AIX 7.1

Yes, it is a known issue, they updated it yesterday/some days ago. The same way as with other security patches - you download APAR (the link is on the site), untar it, install using emgr.

But this issue has nothing common with your original question. It describes a known vulnerability in RC4 cipher and describes how to fix it in AIX 7.1 TL3 SP5 and some other versions, which are listed there. Let's say you don't use ftpd, sendmail, popd and imapd on your server, but you use IBM Directory Server. Then the provided fix doesn't make any sense for your server, because it doesn't fix IBM Directory Server, which has the same problem with RC4 cipher, but fixes only the services, you don't use.