This section describes the process to change the TLS version and cipher suites used by Axon Agents and the Axon Access Point.
For more information on supported TLS versions and cipher suites, see Supported TLS Versions and Cipher Suites.
To change the TLS version and cipher suites used:
1. | On the Tripwire Log Center Manager, open the following file in a text editor: |
<TLC_Manager_install_dir>\Tripwire Axon Access Point\config\bridge.properties
2. | To configure the TLS versions that the Axon Access Point will use to accept connections from an Axon Agent, edit the tw.cap.bridge.tlsVersion value. To configure the Access Point to accept connections using only a single TLS version, specify it like this: |
tw.cap.bridge.tlsVersion=TLSv1.2
To configure the Access Point to accept connections using more than one version of TLS, specify all of the accepted versions as a comma-separated list. For example:
tw.cap.bridge.tlsVersion=TLSv1.2,TLSv1.1,TLSv1
3. | To configure the TLS cipher suites that the Access Point will use, edit the tw.cap.bridge.tlsCipherSuites value. For a list of values, see Table 22. |
To configure multiple cipher suites, specify them as a comma-separated list. For example:
tw.cap.bridge.tlsCipherSuites=TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
4. | Save the bridge.properties file. |
5. | At a command prompt, enter the following command |
net stop TripwireAxonAccessPoint
net start TripwireAxonAccessPoint
6. | On each Axon Agent where you want to change the TLS version and/or cipher suites, do the following: |
a. | Open one of the following files in a text editor: |
Linux:
/etc/tripwire-tlc/twagent.conf
Windows:
%PROGRAMDATA%\Tripwire\agent-tlc\config\twagent.conf
b. | To configure the single TLS version that this Axon Agent will use to connect with the Axon Access Point, edit the tls.version value. For example: |
tls.version=TLSv1.2
Note |
If the Axon Agent attempts to connect with an Axon Access Point that does not support the specified TLS protocol, the TLS handshake will fail and the connection will be closed. |
---|
c. | To configure the TLS cipher suites that this Axon Agent will use, edit the tls.cipher.suites value. For a list of values, see Table 22. |
To configure multiple cipher suites, specify them as a colon-separated list. For example:
tls.cipher.suites=DHE-RSA-AES256-SHA:RSA-AES256-SHA:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
Note |
If the Axon Agent attempts to connect with an Axon Access Point that does not support any of the specified TLS ciphers, the TLS handshake will fail and the connection will be closed. |
---|
d. | At a command prompt, enter one of the following sets of commands to restart the Axon Agent Service: |
Linux:
/sbin/service tw-axon-agent-tlc stop
/sbin/service tw-axon-agent-tlc start
Windows:
net stop TripwireAxonAgentTLC
net start TripwireAxonAgentTLC
Axon Agents and the Axon Access Point support TLSv1, TLSv1.1, and TLSv1.2.
Both Axon Agents and the Axon Access Point use TLSv1.2 by default. Table 22 lists the default cipher suites configured by the Access Point and by Agents. Note that the same cipher suites are supported in both places, but the names are different because the Access Point uses Java cipher suite names, while the Axon Agents use OpenSSL names.
The Axon Access Point and Axon Agents can use any TLS cipher suite that is implemented by both Java and OpenSSL, and that is allowed by Federal Information Processing Standards (FIPS) 140-2.
Cipher Suite Name on the Axon Access Point |
Corresponding Name on an Axon Agent |
---|---|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
DHE-RSA-AES256-SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
RSA-AES256-SHA |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
AES256-GCM-SHA384 |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
DHE-RSA-AES256-GCM-SHA384 |