Connectez-vous à votre serveur AEM et ajoutez le paramètre JVM ci-dessous à la commande java:
Dernière mise à jour le
May 02, 2021 04:06:04 AM GMT
Comment protégeons-nous le port https d'AEM contre les nouvelles vulnérabilités de sécurité SSL / TLS? Par exemple, LOGJAM ou SWEET32.
Environnement
AEM 6.x
Étapes
Pour vous protéger contre diverses vulnérabilités SSL d’une instance HTTPS de AEM, procédez comme suit.
-
-Djdk.tls.ephemeralDHKeySize=2048
Si vous utilisez le script crx-quickstart/bin/start, prêt à l'emploi, vous devez ajouter la variable ci-dessus à la variable CQ_JVM_OPTS.
-
Redémarrez AEM après avoir ajouté l’option JVM. Vous pouvez valider que l'option / la propriété système JVM a été récupérée sur cet écran https://aem-host:port/system/console/jmx/java.lang%3Atype%3DRuntime. Recherchez la page et validez que la propriété jdk.tls.ephemeralDHKeySize est maintenant définie sur 2048.
-
Si le support https est configuré, accédez à https://aem-host:port/crx/de/index.jsp et connectez-vous en tant qu'administrateur.
-
Accédez à /apps/system/config/org.apache.felix.http.config.
-
Modifiez le fichier de configuration. Remplacez les quatre propriétés de configuration répertoriées ci-dessous dans le fichier par les valeurs fournies [1]. Si une variable n’existe pas dans votre configuration, copiez-la à la fin du fichier de configuration.
- org.apache.felix.https.jetty.ciphersuites.excluded
- org.apache.felix.https.jetty.ciphersuites.included
- org.apache.felix.https.jetty.protocols.excluded
- org.apache.felix.https.jetty.protocols.included
Un fichier de configuration d'exemple est fourni ci-dessous [2].
-
Cliquez sur Tout enregistrer.
-
Après avoir appliqué la configuration mise à jour, validez cette configuration. Accédez à cette url https://aem-host:port/system/console/configMgr/org.apache.felix.http.config et vérifier la configuration pour s'assurer que les valeurs des propriétés ont été transférées.
-
Utilisez un outil tel que testssh.sh pour vérifier que le système n'est plus vulnérable.
Informations supplémentaires
Il est recommandé de configurer vos systèmes avec une sécurité optimale pour accéder à l’instance AEM directement. [1]
org.apache.felix.https.jetty.ciphersuites.excluded=[\ "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",\ "SSL_DHE_DSS_WITH_AES_128_CBC_SHA",\ "SSL_DHE_DSS_WITH_AES_256_CBC_SHA",\ "SSL_DHE_DSS_WITH_DES_CBC_SHA",\ "SSL_DHE_DSS_WITH_RC4_128_SHA",\ "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",\ "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "SSL_DHE_RSA_WITH_AES_128_CBC_SHA",\ "SSL_DHE_RSA_WITH_AES_256_CBC_SHA",\ "SSL_DHE_RSA_WITH_DES_CBC_SHA",\ "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",\ "SSL_RSA_EXPORT_WITH_RC4_40_MD5",\ "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",\ "SSL_RSA_FIPS_WITH_DES_EDE_CBC_SHA",\ "SSL_RSA_WITH_DES_CBC_SHA",\ "TLS_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",\ "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",\ "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",\ "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "PCT_SSL_CIPHER_TYPE_1ST_HALF",\ "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",\ "SSL_DH_anon_WITH_RC4_128_MD5",\ "SSL_RSA_EXPORT_WITH_RC4_40_MD5",\ "SSL_RSA_WITH_RC4_128_MD5",\ "SSL_RSA_WITH_RC4_128_SHA",\ "SSL2_RC4_128_EXPORT40_WITH_MD5",\ "SSL2_RC4_128_WITH_MD5",\ "SSL2_RC4_64_WITH_MD5",\ "TLS_DH_Anon_EXPORT_WITH_RC4_40_MD5",\ "TLS_DH_Anon_WITH_RC4_128_MD5",\ "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",\ "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA256",\ "TLS_DHE_DSS_WITH_RC4_128_SHA",\ "TLS_DHE_DSS_WITH_RC4_128_SHA256",\ "TLS_DHE_PSK_WITH_RC4_128_SHA",\ "TLS_DHE_PSK_WITH_RC4_128_SHA256",\ "TLS_ECDH_Anon_WITH_RC4_128_SHA",\ "TLS_ECDH_Anon_WITH_RC4_128_SHA256",\ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",\ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA256",\ "TLS_ECDH_RSA_WITH_RC4_128_SHA",\ "TLS_ECDH_RSA_WITH_RC4_128_SHA256",\ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",\ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA256",\ "TLS_ECDHE_PSK_WITH_RC4_128_SHA",\ "TLS_ECDHE_PSK_WITH_RC4_128_SHA256",\ "TLS_ECDHE_RSA_WITH_RC4_128_SHA",\ "TLS_ECDHE_RSA_WITH_RC4_128_SHA256",\ "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",\ "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",\ "TLS_KRB5_EXPORT_WITH_RC4_40_SHA256",\ "TLS_KRB5_WITH_RC4_128_MD5",\ "TLS_KRB5_WITH_RC4_128_SHA",\ "TLS_KRB5_WITH_RC4_128_SHA256",\ "TLS_PSK_WITH_RC4_128_SHA",\ "TLS_PSK_WITH_RC4_128_SHA256",\ "TLS_RSA_EXPORT_WITH_RC4_40_MD5",\ "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5",\ "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA",\ "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA256",\ "TLS_RSA_PSK_WITH_RC4_128_SHA",\ "TLS_RSA_PSK_WITH_RC4_128_SHA256",\ "TLS_RSA_WITH_RC4_128_MD5",\ "TLS_RSA_WITH_RC4_128_SHA",\ "TLS_RSA_WITH_RC4_128_SHA256",\ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_RSA_WITH_3DES_EDE_CBC_SHA",\ ".*3DES_EDE_CBC.*"\ ] org.apache.felix.https.jetty.ciphersuites.included=[ \ "", \ ] org.apache.felix.https.jetty.protocols.excluded=[ \ "SSLv3", \ "SSL", \ "SSLv2", \ "SSLv2Hello", \ "TLSv1.0", \ "TLSv1.1", \ ] org.apache.felix.https.jetty.protocols.included=[ \ "TLSv1.2" ]
[2] Échantillon de /apps/system/config/org.apache.felix.http.config
# Configuration created by Apache Sling JCR Installer org.apache.felix.http.timeout=I"60000" org.apache.felix.http.jetty.acceptors=I"-1" org.apache.felix.https.clientcertificate="none" org.apache.felix.https.jetty.protocols.excluded=["SSLv3","SSL","SSLv2","SSLv2Hello","TLSv1.0","TLSv1.1"] org.apache.felix.http.jetty.threadpool.max=I"-1" org.osgi.service.http.port=I"4504" org.eclipse.jetty.servlet.CheckingRemoteSessionIdEncoding=B"true" org.apache.felix.http.enable=B"true" org.apache.felix.https.jetty.protocols.included=["TLSv1.2"] org.apache.felix.https.keystore="/opt/aem/author62/crx-quickstart/ssl/keystorename.keystore" org.apache.felix.https.jetty.ciphersuites.excluded=[\ "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",\ "SSL_DHE_DSS_WITH_AES_128_CBC_SHA",\ "SSL_DHE_DSS_WITH_AES_256_CBC_SHA",\ "SSL_DHE_DSS_WITH_DES_CBC_SHA",\ "SSL_DHE_DSS_WITH_RC4_128_SHA",\ "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",\ "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "SSL_DHE_RSA_WITH_AES_128_CBC_SHA",\ "SSL_DHE_RSA_WITH_AES_256_CBC_SHA",\ "SSL_DHE_RSA_WITH_DES_CBC_SHA",\ "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",\ "SSL_RSA_EXPORT_WITH_RC4_40_MD5",\ "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",\ "SSL_RSA_FIPS_WITH_DES_EDE_CBC_SHA",\ "SSL_RSA_WITH_DES_CBC_SHA",\ "TLS_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA",\ "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA",\ "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",\ "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "PCT_SSL_CIPHER_TYPE_1ST_HALF",\ "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",\ "SSL_DH_anon_WITH_RC4_128_MD5",\ "SSL_RSA_EXPORT_WITH_RC4_40_MD5",\ "SSL_RSA_WITH_RC4_128_MD5",\ "SSL_RSA_WITH_RC4_128_SHA",\ "SSL2_RC4_128_EXPORT40_WITH_MD5",\ "SSL2_RC4_128_WITH_MD5",\ "SSL2_RC4_64_WITH_MD5",\ "TLS_DH_Anon_EXPORT_WITH_RC4_40_MD5",\ "TLS_DH_Anon_WITH_RC4_128_MD5",\ "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",\ "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA256",\ "TLS_DHE_DSS_WITH_RC4_128_SHA",\ "TLS_DHE_DSS_WITH_RC4_128_SHA256",\ "TLS_DHE_PSK_WITH_RC4_128_SHA",\ "TLS_DHE_PSK_WITH_RC4_128_SHA256",\ "TLS_ECDH_Anon_WITH_RC4_128_SHA",\ "TLS_ECDH_Anon_WITH_RC4_128_SHA256",\ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",\ "TLS_ECDH_ECDSA_WITH_RC4_128_SHA256",\ "TLS_ECDH_RSA_WITH_RC4_128_SHA",\ "TLS_ECDH_RSA_WITH_RC4_128_SHA256",\ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",\ "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA256",\ "TLS_ECDHE_PSK_WITH_RC4_128_SHA",\ "TLS_ECDHE_PSK_WITH_RC4_128_SHA256",\ "TLS_ECDHE_RSA_WITH_RC4_128_SHA",\ "TLS_ECDHE_RSA_WITH_RC4_128_SHA256",\ "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",\ "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",\ "TLS_KRB5_EXPORT_WITH_RC4_40_SHA256",\ "TLS_KRB5_WITH_RC4_128_MD5",\ "TLS_KRB5_WITH_RC4_128_SHA",\ "TLS_KRB5_WITH_RC4_128_SHA256",\ "TLS_PSK_WITH_RC4_128_SHA",\ "TLS_PSK_WITH_RC4_128_SHA256",\ "TLS_RSA_EXPORT_WITH_RC4_40_MD5",\ "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5",\ "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA",\ "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA256",\ "TLS_RSA_PSK_WITH_RC4_128_SHA",\ "TLS_RSA_PSK_WITH_RC4_128_SHA256",\ "TLS_RSA_WITH_RC4_128_MD5",\ "TLS_RSA_WITH_RC4_128_SHA",\ "TLS_RSA_WITH_RC4_128_SHA256",\ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",\ "TLS_RSA_WITH_3DES_EDE_CBC_SHA",\ ".*3DES_EDE_CBC.*"\ ] org.apache.felix.http.path_exclusions=["/system"] org.apache.felix.http.jetty.selectors=I"-1" org.apache.felix.proxy.load.balancer.connection.enable=B"true" org.eclipse.jetty.servlet.SessionDomain="" org.apache.felix.https.jetty.renegotiateAllowed=B"false" org.apache.felix.http.jetty.maxFormSize=I"204800" org.apache.felix.http.jetty.sendServerHeader=B"false" org.apache.felix.http.jetty.requestBufferSize=I"8192" org.apache.felix.https.keystore.password="storepassword" org.eclipse.jetty.servlet.SessionIdPathParameterName="jsessionid" org.apache.felix.https.jetty.ciphersuites.included=[""] org.apache.felix.http.mbeans=B"false" org.apache.felix.http.host="0.0.0.0" org.eclipse.jetty.servlet.SessionCookie="JSESSIONID" org.eclipse.jetty.servlet.SessionPath="" org.osgi.service.http.port.secure=I"54333" org.apache.felix.https.jetty.session.cookie.httpOnly=B"true" org.apache.felix.http.context_path="/" org.apache.felix.https.enable=B"true" org.apache.felix.https.keystore.key.password="key_password" org.apache.felix.http.jetty.headerBufferSize=I"16384" org.apache.felix.https.truststore="" org.apache.felix.http.session.timeout=I"10" org.eclipse.jetty.servlet.MaxAge=I"-1" org.apache.felix.https.jetty.session.cookie.secure=B"false" org.apache.felix.http.jetty.responseBufferSize=I"24576"
Accéder à votre compte