This section describes the process to change the TLS version and cipher suites used by Axon Agents and the Bridge.
For more information on supported TLS versions and cipher suites, see Supported TLS Versions and Cipher Suites.
To change the TLS version and cipher suites used:
1. | On the Tripwire Log Center Manager, open the following file in a text editor: |
<TLC_Manager_install_dir>\Agent Services\config\bridge.properties
2. | To configure the TLS versions that the Bridge will use to accept connections from an Axon Agent, edit the tw.cap.bridge.tlsVersion value. To configure the Bridge to accept connections using only a single TLS version, specify it like this: |
tw.cap.bridge.tlsVersion=TLSv1.2
To configure the Bridge to accept connections using more than one version of TLS, specify all of the accepted versions as a comma-separated list. For example:
tw.cap.bridge.tlsVersion=TLSv1.2,TLSv1.1,TLSv1
3. | To configure the TLS cipher suites that the Bridge will use, edit the tw.cap.bridge.tlsCipherSuites value. For a list of values, see Table 24. |
To configure multiple cipher suites, specify them as a comma-separated list. For example:
tw.cap.bridge.tlsCipherSuites=TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
4. | Save the bridge.properties file. |
5. | At a command prompt, enter the following command |
net stop TripwireBridge
net start TripwireBridge
6. | On each Axon Agent where you want to change the TLS version and/or cipher suites, do the following: |
a. | Open one of the following files in a text editor: |
Linux:
/etc/tripwire-tlc/twagent.conf
Windows:
%PROGRAMDATA%\Tripwire\agent-tlc\config\twagent.conf
b. | To configure the single TLS version that this Axon Agent will use to connect with the Bridge, edit the tls.version value. For example: |
tls.version=TLSv1.2
Note |
If the Axon Agent attempts to connect with a Bridge that does not support the specified TLS protocol, the TLS handshake will fail and the connection will be closed. |
---|
c. | To configure the TLS cipher suites that this Axon Agent will use, edit the tls.cipher.suites value. For a list of values, see Table 24. |
To configure multiple cipher suites, specify them as a colon-separated list. For example:
tls.cipher.suites=DHE-RSA-AES256-SHA:RSA-AES256-SHA:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
Note |
If the Axon Agent attempts to connect with a Bridge that does not support any of the specified TLS ciphers, the TLS handshake will fail and the connection will be closed. |
---|
d. | At a command prompt, enter one of the following sets of commands to restart the Axon Agent Service: |
Linux:
/sbin/service tw-axon-agent-tlc stop
/sbin/service tw-axon-agent-tlc start
Windows:
net stop TripwireAxonAgentTLC
net start TripwireAxonAgentTLC
Axon Agents and the Bridge support TLSv1, TLSv1.1, and TLSv1.2.
Both Axon Agents and the Bridge use TLSv1.2 by default. Table 24 lists the default cipher suites configured by the Bridge and by Agents. Note that the same cipher suites are supported in both places, but the names are different because the Bridge uses Java cipher suite names, while the Axon Agents use OpenSSL names.
The Bridge and Axon Agents can use any TLS cipher suite that is implemented by both Java and OpenSSL, and that is allowed by Federal Information Processing Standards (FIPS) 140-2.
Cipher Suite Name on the Bridge |
Corresponding Name on an Axon Agent |
---|---|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
DHE-RSA-AES256-SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
RSA-AES256-SHA |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
AES256-GCM-SHA384 |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
DHE-RSA-AES256-GCM-SHA384 |