topic Re: Can I disable RC4 in favor of a stronger Cipher in ArcGIS Enterprise Questions

Can I disable RC4 in favor of a stronger Cipher

JustinCox — Wed, 03 Feb 2016 04:59:43 GMT

I'm deploying ArcGIS for Server 10.3.1 in a secure Enterprise environment. A recent scan showed we had the RC4 cipher enabled, and being used on Port 6443. We use the Web Adaptor, and the firewall blocks all in/out 6443 traffic, but my life would become substantially easier from a documentation and risk acceptance standpoint if I could configure the server to use TLS with 3DES or another stronger cipher. Is it possible to configure this somewhere in the ArcGIS settings?

I tried flat-out disabling RC4 before, and it broke the server. I began to get SCHANNEL errors saying I didn't have a cipher available to establish the connection.

Re: Can I disable RC4 in favor of a stronger Cipher

ThomasColson — Thu, 04 Feb 2016 13:36:23 GMT

This can be accomplished with registry settings, but I prefer a tool "IISCrypto" which give you a nice GUI to not only turn protocols on or off, but specify the order of the ciphers as well. Is your certificate using SHA-2?

Re: Can I disable RC4 in favor of a stronger Cipher

RandallWilliams — Fri, 05 Feb 2016 22:41:20 GMT

At 10.4 in the security configuration page in the admin API you can specify the HTTPS protocols and ciphers you'd like to support.

Re: Can I disable RC4 in favor of a stronger Cipher

JoelBennett — Mon, 25 Jul 2016 17:48:43 GMT

We too have this same issue with 10.3.1. We will be bypassing 10.4 for 10.5 later this year, and I do not see how changing registry settings or playing with third party software for IIS will fix this problem since it's coming from ArcGIS Server's web server Tomcat. Instead, the fix I found was to modify the configuration for the Tomcat server. Refer also to HOW TO -- Disable weak ciphers in Tomcat 7 & 8 - Powered by Kayako Help Desk Software for more information on the parameters mentioned below.

Here are my instructions for Windows:

1) Make a backup copy of <ArcGIS_Server_Install_Directory>\framework\runtime\tomcat\conf\server.xml

2) Run Notepad as Administrator

3) Open <ArcGIS_Server_Install_Directory>\framework\runtime\tomcat\conf\server.xml

4) Near the bottom of the file, look for the line that starts with <Connector...

5) At the end of the line, between the last quotation mark and the slash, add a space, and then add the following text (you can see it's very long and will cause the lines to wrap, but that's ok):

ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"

6) Save the file and restart ArcGIS Server