Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3221
Views
0
Helpful
9
Replies

Cisco SMA Configure Cipher Suite

Go to solution
a.zahid
Level 1
Level 1

‎08-19-2019 10:02 PM

Hi,

 

I tried to update SMA cipher using cli (sslconfig) but not able to do it because SMA does not behave the same as ESA.

 

I found from other discussion that for SMA, I need to change the configuration on the config file and then upload the config file back. Based on our past experience, we have encountered a situation where after the config file is uploaded, not all configuration was restored.

 

Is there any other way I can update our SMA cipher config?

 

Thank you.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to a.zahid

‎08-20-2019 10:27 PM

Hi A.zahid,

To the best of my knowledge, the steps provided is the only way to adjust SSL ciphers in SMA by making changes in the configuration file.
However, I understand that you had faced issue last time while restoring the configuration as all the configuration was not restored.
To make sure the similar incident don't next time, you can take below precautions while performing the change next time:

1) Make sure that you download the configuration file which is plain or encrypt as mask configuration will not be uploaded after making the changes.
2) Once the required changes are made, I would request you to make use of the text comparison tool that only SSL configuration is changed and no other configuration changes are in place.

If you still face any issue, please feel free to reach out to Cisco TAC and we'll be happy to assist you further.

BR,
Pratham

View solution in original post

0 Helpful
9 Replies 9

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎08-20-2019 01:31 AM

Hi,

To adjust the SSL ciphers for the SMA you can do this by performing the below steps.

The sslconfig part of command that allows changing ciphers is not available for the Cisco SMA as such you will have to perform the below steps:

1. Save the SMA configuration file to your local computer. Make sure passwords are unmasked or this will not work.
2. Open the XML file.
3. Search for the <ssl> section in the XML. It will look like the below:

EXAMPLE:
<ssl>
<ssl_inbound_method>sslv3tlsv1</ssl_inbound_method>
<ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_inbound_ciphers>
<ssl_outbound_method>sslv3tlsv1</ssl_outbound_method>
<ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_outbound_ciphers>
<ssl_gui_method>sslv3tlsv1</ssl_gui_method>
<ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_gui_ciphers>
</ssl>


4. Modify the ciphers as desired and save the XML.

EXAMPLE:
<ssl>
<ssl_inbound_method>tlsv1</ssl_inbound_method>
<ssl_inbound_ciphers>MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH</ssl_inbound_ciphers>
<ssl_outbound_method>tlsv1</ssl_outbound_method>
<ssl_outbound_ciphers>MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH</ssl_outbound_ciphers>
<ssl_gui_method>tlsv1</ssl_gui_method>
<ssl_gui_ciphers>MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH</ssl_gui_ciphers>
</ssl>

5. Load the new configuration file onto the SMA.
6. Submit and commit all changes.

I hope this helps.

BR,
Pratham
0 Helpful

Go to solution
a.zahid
Level 1
Level 1
In response to ppreenja

‎08-20-2019 07:01 PM

Hi pprenja,

 

Is there any other way to do it? Based on our past experience, we have encountered a situation where after the config file is uploaded, not all configuration was restored.

 

Thanks

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to a.zahid

‎08-20-2019 10:27 PM

Hi A.zahid,

To the best of my knowledge, the steps provided is the only way to adjust SSL ciphers in SMA by making changes in the configuration file.
However, I understand that you had faced issue last time while restoring the configuration as all the configuration was not restored.
To make sure the similar incident don't next time, you can take below precautions while performing the change next time:

1) Make sure that you download the configuration file which is plain or encrypt as mask configuration will not be uploaded after making the changes.
2) Once the required changes are made, I would request you to make use of the text comparison tool that only SSL configuration is changed and no other configuration changes are in place.

If you still face any issue, please feel free to reach out to Cisco TAC and we'll be happy to assist you further.

BR,
Pratham
0 Helpful

Go to solution
a.zahid
Level 1
Level 1
In response to ppreenja

‎08-21-2019 05:02 PM

Hi pprenja,

 

Thanks for your explanation and recommendation. Really appreciate it.

 

Thanks.

0 Helpful

Go to solution
Ken Stieers
VIP
VIP

‎08-20-2019 07:22 AM

I've asked for an enhancement request.  CSCvq97177

 

Totally silly that this is an issue as the ESA has it available via gui and CLI. 

 

0 Helpful

Go to solution
a.zahid
Level 1
Level 1
In response to Ken Stieers

‎08-21-2019 04:57 PM

Hi,

 

It should have been same for both sma and esa. Did Cisco mention when will this enhancement be onboard?

 

Thanks.

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to a.zahid

‎08-22-2019 05:32 AM

Hello,

Currently, there is no ETA on the enhancement as backend teams are working on the same. The enhancement has been filed on Aug 20,2019 itself and as soon as it link for the same is made public, you can add yourself to the notification and get updates directly once any fix is announced.

Cheers,
Pratham
0 Helpful

Go to solution
a.zahid
Level 1
Level 1
In response to ppreenja

‎08-22-2019 06:33 PM

Hi pprenja,

 

Thanks for the information. :)

 

Thanks.

0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to a.zahid

‎08-22-2019 08:35 PM

Hi A.zahid,

Happy to help! :)

Cheers,
Pratham
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents