Enable TLS 1.2 strong cipher suites (2024)

Deep Security Manager 10 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.

Only applies to on-premise installations of Deep Security Manager.

This page describes how to update the Deep Security Manager, Deep Security Agent and Deep Security Relay so that they use the TLS 1.2 strong cipher suites. These cipher suites have an Advanced+ (A+) rating, and are listed in the table on this page.

Enabling strong cipher suites involves upgrading all your Deep Security components to 10.0 Update 16 or a later update. If this is not possible—for example, you're using operating systems for which a 10.0 update 16 agent is not available—see instead Use TLS 1.2 with Deep Security.

Step 1: Update Deep Security components

Step 2:Run a script to enable TLS 1.2 strong cipher suites

Step 3: Verify that the script worked

Disable TLSv1.2 strong cipher suites

Update Deep Security components

Make sure you update all components in the order listed below or else the agents will not be able to communicate with the relays and manager.

Update all your manager instances to 10.0 Update 16 or a later update. For upgrade instructions, see Deploy Deep Security.
Update all your relays to 10.0 Update 16 or a later update. To upgrade a relay, follow the same process as upgrading an agent:
1. Import the latest relay software into the manager, either manually or automatically. See Update Deep Security software for details.
2. Upgrade the relay:
  - To automatically upgrade a relay, see Initiate an upgrade.
  - To manually upgrade a relay, see Manually upgrade the agent.
Update all your agents to 10.0 Update 16 or a later update. To upgrade your agents:
1. Import the latest agent software into the manager, either manually or automatically. See Update Deep Security software for details.
2. Upgrade your Deep Security Agents:
  - To automatically upgrade an agent, see Initiate an upgrade.
  - To manually upgrade an agent, see Manually upgrade the agent.

Run a script to enable TLS 1.2 strong cipher suites

Copy the EnableStrongCiphers.script file available at https://github.com/deep-security/ops-tools/tree/master/deepsecurity/manager to:
- On Windows: <Manager_root>\Scripts
- On Linux: <Manager_root>/Scripts
where <Manager_root> is replaced with the path to your manager's installation directory, by default:
- C:\Program Files\Trend Micro\Deep Security Manager (Windows)
- /opt/dsm/ (Linux)
If you do not see a \Scripts directory, create it.

Log in to the manager.
Click Administration at the top.
On the left, click Scheduled Tasks.
In the main pane, click New.
The New Scheduled Task Wizard appears.
From the Type drop-down list, select Run Script. Select Only Once. Click Next.
Accept the date, time, and time zone defaults and click Next.
For the Script, select EnableStrongCiphers.script. Click Next.
For the Name, enter a name for the script, for example,Enable Strong Cipher Suites. Make sure Task Enabled is selected. Click Run Task on ‘Finish’. Click Finish.
The script runs.
Restart the Deep Security Manager service.
Your agents, relays, and manager should now be communicating with each other using TLSv1.2 strong cipher suites exclusively.

Verify that the script worked

To verify that the script worked, and that only strong TLS 1.2 cipher suites are permitted, you must run a series of nmap commands.

Verify the manager using nmap
Verify the relays using nmap
Verify the agents using nmap

Verify the manager using nmap

Run this command:

nmap --script ssl-enum-ciphers -p 4119 <Manager_FQDN>

The output should look similar to the following, with the strong cipher suites near the middle:

Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:51 EST

Nmap scan report for <DSM FQDN> (X.X.X.X)

Host is up (0.0049s latency).

PORT STATE SERVICE

Verify the relays using nmap

Run this command:

nmap --script ssl-enum-ciphers -p 4122 <Relay_FQDN>

The output should look similar to the following, again, with the strong cipher suites listed near the middle:

Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:49 EST

Nmap scan report for <DSR FQDN> (X.X.X.X)

Host is up (0.0045s latency).

PORT STATE SERVICE

4122/tcp open unknown

| ssl-enum-ciphers:

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

| compressors:

| NULL

| cipher preference: server

|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 31.02 seconds

Verify the agents using nmap

Run this command:

nmap --script ssl-enum-ciphers -p 4118 <Agent_FQDN>

The output looks similar to the following:

Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:50 EST

Nmap scan report for <DSA FQDN> (X.X.X.X)

Host is up (0.0048s latency).

PORT STATE SERVICE

4118/tcp open netscript

| ssl-enum-ciphers:

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

| compressors:

| NULL

| cipher preference: server

|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.72 seconds

Disable TLSv1.2 strong cipher suites

If you mistakenly run the script before upgrading all of your agents, relays, or the manager, you can revert this action by doing the following:

Open the configuration.properties file in <Manager_root>, and remove the line starting with ciphers. The line looks similar to the following:
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Add the following values to the protocols field: TLSv1 and TLSv1.1. Your final property looks similar to this:
protocols = TLSv1, TLSv1.1, TLSv1.2
Save and close the file.
Open the java.security file in <Manager_root>\jre\lib\security\ and remove the following two protocols from jdk.tls.disabledAlgorithms:
TLSv1, TLSv1.1
On Deep Security Manager, run the following dsm_c commands
dsm_c –action changesetting –name settings.configuration.restrictRelayMinimumTLSProtocol –value TLSv1
dsm_c –action changesetting –name settings.configuration.enableStrongCiphers –value false
Your system should now be able to communicate again. If you still need to enable TLSv1.2 strong cipher suites, make sure you have upgraded all components before running the script.

Support

Trend Micro Success

Threat Encyclopedia

What's new in the Deep Security Help Center?

Looking for help for other versions?

', /* Component button to preferences dialog (i.e. layout) */ "animateRevokable": "false", "compliance": { /* Wrapper around component buttons, used by layouts. "type" determines which is used. */ "info": '

', "opt-in": '

', "opt-out": '

', }, "layouts": { /* Custom layouts used by "layout" setting. Variations if header/close setting is enabled... Override defaults below -----v */ "basic-layout": '{{message}}{{compliance}}', 'basic-layout-close': '{{message}}{{compliance}}{{close}}', 'basic-layout-header': '{{header}}{{message}}{{link}}{{compliance}}', "trend-micro-privacy-consent-layout": '{{message}}{{compliance}}', 'trend-micro-privacy-consent-layout-close': '{{message}}{{compliance}}{{close}}', 'trend-micro-privacy-consent-layout-header': '{{header}}{{message}}{{compliance}}' }, "layout": "trend-micro-privacy-consent-layout", "cookie": { "name": _telemetryCookiePrefName, "domain": location.hostname, "secure": _telemetryCookieSecure, "expiryDays": _telemetryCookieExpiry } }); /* Initialize telemetry scripts if it's not localhost/dev, and consent has not been withdrawn*/ if ( dsGetCookie(_telemetryCookiePrefName ) !== 'deny') { /* Google Analytics */ window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', { trackingId: _telemetryIds.google, cookieDomain: location.hostname, cookieExpires: _telemetryCookieExpiry * 24 * 60 * 60 /* Measured in seconds */ }); ga('set', 'referrer', 'http://example.com'); /* Prevent collecting personal data from 3rd party URLs */ ga('set', 'anonymizeIp', true); /* Last octet of IPv4 address obscured so location is approximate */ ga('send', 'pageview'); /* End Google Analytics */ /* Hotjar */ (function(h,o,t,j,a,r){ h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)}; h._hjSettings={hjid:_telemetryIds.hotjar,hjsv:6}; a=o.getElementsByTagName('head')[0]; r=o.createElement('script');r.async=1; r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv; a.appendChild(r); })(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv='); hj.optOut = false; /* Opt-out for all sites, including 3rd party. Otherwise even if they explicitly agree to our cookie, it wouldn't work. */ /* Cookie expiry, referrer and IP anonymization not configurable in their API. */ /* End HotJar */ } } /* PRIVILEGED METHODS */ this.init = function() { _init(); } } /* GLOBAL METHODS */ /** * Is this page on a local file system (e.g. file:///C:/index.html) or developer's laptop (e.g. https://localhost/index.html)? * * *hostnamePage's "location.hostname" part of the URL (if any). Empty if it's a local file system, not a web server with a hostname. */ function dsIsHostLocal ( hostname = location.hostname ) { /* Domain name doesn't always exist in URL if we're on a local file system (file:/// not https://). So check for empty string first. Otherwise check standard RFC 1918 private IPv4/IPv6 address for localhost. */ if (!hostname || hostname === '' || hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1') { return true; } else { return false; } } /** * Is this page on an internal server? * * Useful for dark launch. * * NOTE: By default, returns true (i.e. "No, it's not public/production"). * This safety keeps prod telemetry data "clean" and internal features hidden. * if new dev/QA environments are spun up. But if production gets a new DNS/domain name, * you MUST update the "dsHostnames" config. Otherwise all dark launch flags will be disabled. * *hostnameHTTP "Host:", if any, in the URL. Empty if URL starts with 'file:///', which is a local file system, not a proper web server. */ function dsIsHostInternal ( hostname = location.hostname ) { /* Dev or Staging */ if ( dsIsHostLocal(hostname) || hostname === dsHostnames.dev || hostname === dsHostnames.staging ) { return true; } else { /* Prod */ if (hostname === dsHostnames.prod) { return false; } else { /* Unknown * To avoid showing unreleased features, don't just assume this is a new hostname for prod. * But this might be the wrong result, so log it. */ console.warn('Domain name in HTTP \'Host: %s\' was not recognized. If this is a new hostname, update the settings.', hostname); return true; } } } /** * Is input safe-ish to use? * * NOTE: Does NOT fully validate. Just flags if input is too long, or if there are chars that could be XSS, SQLi, etc. attack. * After using this function, you should then validate input is "normal" according to your specific context: * data types, range, bindings, etc. expected by the function's logic. * *inputString from an arg, parameter, cookie, URL query string, etc. *allowedSpecialCharsArray of characters that are usually illegal, but must be allowed for this specific input type (Example: '?' in query string or '\' in Unicode cookies) *maxLengthInteger of maximum input string length to avoid buffer overflows and DoS attacks */ function dsIsInputSane ( input = '', allowedSpecialChars = [''], maxLength = 64 ) { var _alphanumeric = /^[0-9a-z]+$/i ; // Regex /* Validate passed parameters' data types before we use string- or array-specific methods. */ if ( !input || typeof( input ) !== 'string' || input == '' ) { console.error('Input %s "%s" is not a valid string. Ignoring input.', typeof(input), input.toString()); return false; } if ( !allowedSpecialChars || !(Array.isArray(allowedSpecialChars)) || allowedSpecialChars.length < 1 ) { console.error('Allowed special characters %s "%s" is not a valid varray. Ignoring input.', typeof(allowedSpecialChars), allowedSpecialChars.toString()); return false; } else { for (i = 0; i < allowedSpecialChars.length; i++) { if (typeof(allowedSpecialChars[i]) !== 'string') { console.error('Allowed special characters array contains an element %s "%s" that is not a string. Ignoring input.', typeof(allowedSpecialChars[i]), allowedSpecialChars[i].toString()); return false; } } } if ( !maxLength || (typeof( maxLength ) !== 'number') ) { console.error('Maximum length %s "%s" is not a valid number. Ignoring input.', typeof(maxLength), maxLength.toString()); return false; } /* Don't bother inspecting the string's chars if it's insanely long. */ if ( input.length >= maxLength ) { console.error('Input is too long: %d. Ignoring input.', input.length); return false; } else { /* Look for non-alphanumeric characters. Allow special characters only if specifically listed.*/ for (i = 0; i < input.length; i++) { if (!( allowedSpecialChars.includes(input.charAt(i)) || input.charAt(i).match(_alphanumeric) )) { console.error('Input "%s" is not sane. Ignoring input.', input.toString()); return false; } else { if (i === (input.length - 1)) { /* We reached the end of the string, so input was basically sane. */ return true; } } } } } /** * Get cookie's value string, if it exists, is accessible, and sane * Returns exception otherwise * *cookieNameName of a cookie *allowedSpecialCharsArray of special characters, if any, that must be allowed for the cookie name and value (Example: '\' in Unicode cookies or '{' in JSON) *maxLengthInteger of maximum string length for the cookie name and value */ function dsGetCookie ( cookieName = '', allowedSpecialChars = [''], maxLength = 64 ) { /* Check the name */ if ( !dsIsInputSane( cookieName, allowedSpecialChars, maxLength ) ) { return ''; } else { cookieValue = Cookies.get( cookieName ); /* Check the value */ if ( !cookieValue ) { /* Non-existent cookie could be the user clearing their cookies normally or a privacy plugin, not something dangerous */ console.debug('Cookie "%s" did not exist or access was not permitted. Getting value failed.', cookieName.toString()); return ''; } else { if ( !dsIsInputSane( cookieValue, allowedSpecialChars, maxLength ) ) { return ''; } else { return cookieValue; } } } } /** * Set cookie's value string, if sane and accessible * Returns true if successful, or false otherwise * *cookieNameName of a cookie *cookieValueString value of a cookie *allowedSpecialCharsArray of special characters, if any, that must be allowed for the cookie name and value (Example: '\' in Unicode cookies or '{' in JSON) *maxLengthInteger of maximum string length for the cookie name and value */ function dsSetCookie ( cookieName = '', cookieValue = '', cookiePath = '', cookieExpiry = 14, allowedSpecialChars = [''], maxLength = 64 ) { /* Check the name */ if ( !dsIsInputSane( cookieName, allowedSpecialChars, maxLength ) ) { } else { /* Check the value */ if ( !dsIsInputSane( cookieValue, allowedSpecialChars, maxLength ) ) { } else { if ( !Cookies.set( cookieName, cookieValue, {expires: cookieExpiry, path: cookiePath} ) ) { /* Might fail due to a privacy plugin, not something dangerous */ console.debug('Cookie "%s" did not exist or access was not permitted. Getting value failed.', cookieName.toString()); } else { return true; } } } return false; } /** * Delete cookie, if allowed * Returns void * *cookieNameName of a cookie *cookiePathSub-URL scope of a cookie *allowedSpecialCharsArray of special characters, if any, that must be allowed for the cookie name and value (Example: '\' in Unicode cookies or '{' in JSON) */ function dsDeleteCookie ( cookieName, cookiePath = '', allowedSpecialChars = [''] ) { /* Check the name */ if ( !dsIsInputSane( cookieName, allowedSpecialChars ) ) { } else { if ( !Cookies.get( cookieName ) ) { /* Non-existent cookie could be the user clearing their cookies normally or a privacy plugin, not something dangerous */ console.debug('Cookie "%s" did not exist or access was not permitted. Delete failed.', cookieName.toString()); } else { /* Set the cookie's expiry to delete itself */ /* js-cookie returns nothing regardless of result, so for now, we can't pass anything definite */ Cookies.remove( cookieName, {path: cookiePath} ); } } } /* Once the page is loaded, instantiate the telemetry consent dialog and tracker(s). */ window.addEventListener("load", function(){ /* Use different tracking unique IDs for Prod vs. Staging (Keeps telemetry data cleaner.) */ var dsTelemetryIds; if (location.hostname === dsHostnames.staging) { dsTelemetryIds = { google: 'UA-67585200-4', hotjar: '1566888' } } else if (location.hostname === dsHostnames.prod) { dsTelemetryIds = { google: 'UA-67585200-1', hotjar: '1419268' }; } else if ( location.hostname === dsHostnames.dev || location.hostname.endsWith("trendnet.org") || dsIsHostLocal(location.hostname)) { // dev... Don't track: No unique IDs, or requires internal DNS resolution, or events could come from DHCP-recylced IP addresses dsTelemetryIds = { google: '', hotjar: '' }; console.debug('Telemetry won\'t function because domain name in HTTP \'Host: %s\' is a local or dev environment. Requires staging or production hostname, which have telemetry unique IDs.', location.hostname); } else { // Equivalent to unrecognized by dsIsHostInternal() console.warn('Domain name in HTTP \'Host: %s\' was not recognized. If this is a new hostname, update the settings.', location.hostname); } console.debug(dsTelemetryIds); var dsTelemetry = new DS_TELEMETRY( dialogAlignment = 'bottom', containterElement = document.getElementById(dsSiteFooterId), telemetryIds = dsTelemetryIds, cookieName = 'dsCookiesPref'); if ( !dsIsHostLocal() ) { dsTelemetry.init(); /* ... then automatically minimizes the dialog if "cookieName" proves we've asked before. */ } }); /*]]>*/