Advanced: Incoming SSL Configuration

For incoming SSL/TLS connections, Ivanti EPMM supports:

  • TLS protocol version TLS v1.2 (TLS v1.0 and TLS v1.1 are not supported)
  • a default set of disabled and selected cipher suites.

Use the Security > Advanced > Incoming SSL Configuration options to configure the cipher suites to use for incoming SSL/TLS connections to Ivanti EPMM. These incoming connections include connections initiated to Ivanti EPMM from:

  • devices
  • browsers (to the Admin Portal or System Manager)
  • external servers

Use this feature to also:

  • configure Ivanti EPMM to be PCI-DSS 3.1 compliant.
  • change the cipher suites for incoming SSL/TLS connections if you have specific security or performance requirements.

Important Do not change the cipher suites unless you have specific security or performance requirements. Most customers do not need to take any actions.

This section includes the following topics:

Protocols and cipher suites on Ivanti EPMM first-time installation

On first-time installation, Ivanti EPMM supports:

  • Protocol version TLSv1.2
  • Default and selected cipher suites as displayed in the System Manager at Security > Advanced > Incoming SSL Configuration.

Do not change the cipher suites until you have determined the cipher suites required for incoming connections to Ivanti EPMM.

Protocol versions for incoming connections on upgrade

When you upgrade to this Ivanti EPMM version, the selected and disabled protocol versions are as follows, regardless what they were set to before the upgrade:

  • Selected: TLSv1.2
  • Disabled: None

TLS v1.2 is the only supported protocol and cannot be moved to the disabled list.

Cipher suites for incoming connections on upgrade

When upgrading to Ivanti EPMM, Ivanti EPMM uses the disabled and selected sets of cipher suites that you used in the Ivanti EPMM from which you upgraded. The exception to this rule is when an Ivanti EPMM release removes cipher suites. In that case, the removed cipher suites are no longer available to select after upgrade.

Note that Ivanti EPMM has a default set of selected and disabled cipher suites. Ivanti EPMM uses these default sets after upgrades only if you use the Reset to Default button. The default sets have changed in various Ivanti EPMM releases. Therefore, if your upgrade path took you through a release that changed the default sets, use the Reset to Default button only with caution as described in Changing to the default set of cipher suites for incoming connections.

The default sets changed in:

  • Ivanti EPMM 10.2.0.0
  • Ivanti EPMM 10.3.0.0
  • Ivanti EPMM 11.4.0.0

Protocol version negotiation for incoming SSL/TLS connections

Because Ivanti EPMM supports only TLSv1.2, incoming SSL/TLS connections fail if they are from a server that does not support TLSv1.2.

Verify server requirements for incoming SSL/TLS connections

Before changing cipher suites used for incoming connections to Ivanti EPMM, verify the requirements of external servers that make connection requests to Ivanti EPMM. The System Manager screen at Security > Advanced > Incoming SSL Configuration indicates which cipher suites are disabled and selected.

The Disabled and Selected sections are described below:

Table 31.   Disabled and Selected lists

Fields

Description

Disabled

The protocol or cipher suite is available in Ivanti EPMM, but it is disabled. Therefore, Ivanti EPMM will not use it in any incoming connections.

Putting protocols and cipher suites in the Disabled Column disables them when the configuration is saved.

TLS v1.2 is the only supported protocol and cannot be moved to the disabled list.

Selected

Ivanti EPMM can use the protocol or cipher suite in an incoming connection.

Putting protocols and cipher suites in the Selected Column enables them when the configuration is saved.

Configuring incoming SSL/TLS connections

Ivanti recommends that you use the default cipher suites for incoming SSL/TLS connections. Most customers do not need to change them. However, if you have specific security or performance requirements, you can change the defaults. Before changing the cipher suites used in incoming SSL/TLS connections, understand the requirements of external servers that make connection requests to Ivanti EPMM.

Prerequisites for configuring incoming SSL/TLS connections

The following conditions must be met to configure incoming SSL/TLS connections:

  • Configure incoming SSL/TLS connections only from the primary Ivanti EPMM for HA configurations. Configuring incoming SSL/TLS connections from the second or third instance of Ivanti EPMM is not supported since the Tomcat service will not be running in the second and third Ivanti EPMM.
  • The administrator (local user) configuring the incoming SSL/TLS connections in the System Manager must also be an administrator (local user) in the Admin Portal.

Configuring the cipher suites for incoming SSL/TLS connections

You can configure the cipher suites for incoming SSL/TLS connections.

You cannot disable the protocol TLSv1.2. If you move it to the Disabled list and click Apply, Ivanti EPMM displays an error message. Move TLSv1.2 back to the Selected list before re-clicking Apply.

Procedure 

  1. Log into System Manager.
  2. Go to Security > Advanced > Incoming SSL Configuration.
  3. Go to the Cipher Suites section.
  4. Click and drag, or select and move using the arrows, cipher suites between the Disabled and Selected lists to select the cipher suites to use for incoming SSL/TLS connections.
  5. List the cipher suites in order, from highest preference to lowest by dragging each cipher suite up or down in the Selected list.

    Ivanti EPMM uses the listed order in determining which, of the supported cipher suites, to use. Therefore, Ivanti suggests you list the strongest cipher suites first.

  6. Click Apply > OK.

    Ivanti EPMM Tomcat service, which supports web requests to and from Ivanti EPMM, restarts automatically.

Changing to the default set of cipher suites for incoming connections

When you upgrade Ivanti EPMM, the set of incoming SSL/TLS protocols and cipher suites are the ones described in Advanced: Incoming SSL Configuration.

You can change your cipher suite set to a set of your choice. You can also change to the default Ivanti EPMM set using the Reset to Default on the System Manager’s Security > Advanced > Incoming SSL Configuration screen.

Most customers do not need to make any changes. However, you can change Ivanti EPMM to use the Ivanti EPMM default set of cipher suites if you have specific security requirements.

Do not click Reset to Default unless:

  • You have specific security or performance requirements to use the Ivanti EPMM set of cipher suites. Most customers do not need to take any action.
  • You have identified the cipher suites required for your external servers, and have confirmed that they are included in the default set of cipher suites.

For example, after an upgrade, an external server that depends on a legacy cipher suite that is not in the default set of cipher suites can connect to Ivanti EPMM. However, after you click Reset to Default, that server will not be able to connect to Ivanti EPMM.

Procedure 

To change the configuration to the Ivanti EPMM default set of cipher suites:

  1. Log into System Manager.
  2. Go to Security > Advanced > Incoming SSL Configuration.
  3. Click Reset to Default.
  4. Click Apply > OK.

    Ivanti EPMM Tomcat service, which supports web requests to and from Ivanti EPMM, restarts automatically.