14.1 Restoring Previous Security Settings for Administration Console

In this Section

14.1.1 Restoring the Previous Protocols Settings

  1. Download backup files from the /root/nambkup/ac <time stamp of upgrade> folder.

    For information about how to download backup files, see Downloading Files from a Server in the NetIQ Access Manager 5.0 Administration Guide.

  2. Open the backup server.xml file from the backup folder and search for the sslProtocol attribute in NIDP_Name="devman" and NIDP_Name="connector" inside the Connector element and copy the attribute values.

  3. Open Administration Console’s new server.xml.

    For information about how to open and modify a file, see Modifying Configurations in the NetIQ Access Manager 5.0 Administration Guide.

  4. Search for the sslProtocol attribute in the NIDP_Name="devman" and NIDP_Name="connector" inside the Connector element. You will see the following value:

    sslProtocol="TLSv1.2" sslEnabledProtocols="SSLv2Hello,TLSv1.1,TLSv1.2"

  5. Replace this attribute value with the previous value that you copied in step 4.

14.1.2 Restoring the Previous Settings of Ciphers for SSL Communication

  1. Download backup files from the /root/nambkup/ac <time stamp of upgrade> folder.

    For information about how to download backup files, see Downloading Files from a Server in the NetIQ Access Manager 5.0 Administration Guide.

  2. Open the backup server.xml file from the backup folder and search for the cipher attribute in NIDP_Name="devman" and NIDP_Name="connector" inside the Connector element and copy the list of ciphers.

  3. Open the new server.xml of Administration Console.

    For information about how to open and modify a file, see Modifying Configurations in the NetIQ Access Manager 5.0 Administration Guide.

  4. Search for the cipher attribute in NIDP_Name="devman" and NIDP_Name="connector" inside the Connector element.

  5. Replace this list of ciphers with the list copied in step 2.

14.1.3 Disabling Perfect Forward Secrecy

  1. Download backup files from the /root/nambkup/ac <time stamp of upgrade> folder.

    For information about how to download backup files, see Downloading Files from a Server in the NetIQ Access Manager 5.0 Administration Guide.

  2. Open the backup server.xml from the backup folder and search for the cipher attribute in NIDP_Name="devman" and NIDP_Name="connector" inside the <Connectors> element and copy the list of ciphers.

  3. Open the new server.xml file of Administration Console.

    For information about how to open and modify a file, see Modifying Configurations in the NetIQ Access Manager 5.0 Administration Guide.

  4. Search for the cipher attribute in NIDP_Name="devman" and NIDP_Name="connector" inside the <Connectors> element.

  5. Replace the list of ciphers with the value you copied in step 2.

  6. Remove the useServerCipherSuitesOrder attribute.

14.1.4 Restoring the Previous Size of EDH Keys

  1. Open the tomcat8.conf (tomcat.conf) file.

  2. Remove the following line:

    JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.ephemeralDHKeySize=2048"

For information about how to modify a file, see Modifying Configurations in the NetIQ Access Manager 5.0 Administration Guide.

14.1.5 Removing HTTP Strict Transport Security

  1. Open the Administration Console web.xml file and comment out the httpHeaderSecurity filter definition.

    <filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</
filter-class>
<async-supported>true</async-supported>
</filter>

  2. Comment out the following parameter that sets up an appropriate maximum age value:

    <init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>

  3. Comment out the filter mapping.

    <filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>

For information about how to modify a file, see Modifying Configurations in the NetIQ Access Manager 5.0 Administration Guide.