Recently, I went through an exercise of tweaking ciphers for a few components in Workspace ONE. I realized that VMware hasn’t done a great job documenting how to tweak SSL settings for some of their services. Today, we will cover how to address SSL security for 3 services: Unified Access Gateway, Workspace ONE Access Connectors, and WS1 Tunnel. I’ve covered how to handle it for the SEG previously, but let’s enjoy covering these other crucial products.

How do you SSL Harden Windows Servers?

So let’s take a few minutes to quickly discuss how SSL security works on a Windows server. Basically, you use GPO or Registry Keys to disable SSL protocols or weak ciphers. Without getting too crazy (and I will show you some code below), I typically tell people to use this great application IIS Crypto which is a nice little GUI tool that will set your ciphers, protocols, etc. and reboot.

You can leverage a PowerShell script like the one here to disable these weak ciphers also. An example of some of that code is below:

# Add and Disable TLS 1.1 for client and server SCHANNEL communications
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.1 has been disabled.'

# Disable insecure/weak ciphers.
$insecureCiphers = @(
  'DES 56/56',
  'NULL',
  'RC2 128/128',
  'RC2 40/128',
  'RC2 56/128',
  'RC4 40/128',
  'RC4 56/128',
  'RC4 64/128',
  'RC4 128/128',
  'Triple DES 168'
)
Foreach ($insecureCipher in $insecureCiphers) {
  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher)
  $key.SetValue('Enabled', 0, 'DWord')
  $key.close()
  Write-Host "Weak cipher $insecureCipher has been disabled."
}

So is Window Server security just that easy?

I would love to say that it is just that simple, but our friend Java enters the picture. Java has been haunting our lives since the days of BlackBerry and it hasn’t changed much still. Most of the Workspace ONE components are also leveraging Java. We will need to dig deep into the annals. You will be entering into the Java Installation Path\lib\security to find the Java.security file to tweak all of the things that make SSL go. We will cover that more in the next section.

If you’re curious, the idea is that Java runs as a service on your server. The Java service spins up and your application executes some run-time stuff to build a service on that listening port so when someone hits your server on that specific port it is interfacing with that service. Most times it will be a combination of Java and Tomcat or Jetty to deliver the technology.

That essentially means that it doesn’t care what your server’s settings are. So we will need to address things at the Java-level to tighten up our SSL security.

Enhancing the Security of your WS1 Access Connectors

The new Workspace ONE Access Connectors have simplified SSL security by eliminating that disgusting 8443 CFG page, but we still need to worry about the Kerberos Auth page.

As you will see in the video below, we can tighten up the security on your Access Connector by modifying the Java.security file. Let’s cover some of the code below you should modify in the Java Path: C:\Program Files\Workspace ONE Access\OpenJDK\lib\security\java.security:

Search for jdk.tls.disabledAlgorithms, add a ## in front of it to preserve it for later and paste this below:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ 
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, CBC, RSA keySize < 2048,  \ 
    include jdk.disabled.namedCurves 

Search for jdk.disabled.namedCurves and update it with the list below:
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \ 
    secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \ 
    secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \ 
    sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \ 
    sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \ 
    sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, secp256r1, secp384r1, secp521r1, \ 
    X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \ 
    X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \ 
    X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \ 
    brainpoolP320r1, brainpoolP384r1, brainpoolP512r1 

Now that we covered that, let’s check out the video below mentioned earlier:

Modifying SSL Security for the Unified Access Gateway

Now, we shift focus to the Unified Access Gateway. In full disclosure, be very careful here. Especially, make sure you take a snapshot of your UAG before proceeding. It can be a little bit tricky. You can modify the ciphers in one of two ways. My preferred way is with a nice REST API script. First lets create our ciphers.json file:

{
"cipherSuites": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "ssl30Enabled": "false",
  "tls10Enabled": "false",
  "tls11Enabled": "false",
  "tls12Enabled": "true"
}

You will save that to ciphers.json and then execute this easy script via cURL (this was done on a Mac, but can be done anywhere):

curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X PUT https://syn-uag01.synterex.com:9443/rest/v1/config/system < ~/ciphers.json

For those of the feint at heart, feel free to just do it the old fashion way in the GUI:

Enhancing SSL Security for the Workspace ONE Per-App VPN Tunnel

The last component we will cover is the WS1 Per-App VPN Tunnel. This one is pretty easy because you can modify the ciphers in the UEM gui and they will push down like its no big deal. VMware has a nice article on that here.

Basically, you will customize a nice KVP (Key-Value Pair) to specify what ciphers you want to support on your tunnel:

Key: openssl_cipher_list Value: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384

In my example, I ratcheted it back to just AES256 ciphers. You simply edit your tunnel config, add the values, save, and then restart your Tunnel service on your UAG. Feel free to watch this short and sweet video below:

Testing your SSL Changes

You can test your changes pretty easily. The code can be seen below:

##Testing an Newly-Disabled Cipher##
Openssl s_client -connect servername:port -cipher ECDHE-RSA-AES256-SHA384

##Testing a Good Cipher##
Openssl s_client -connect servername:port -cipher ECDHE-RSA-AES256-GCM-SHA384

This is what you will see on the bad cipher:

This is what you will see on the good cipher:

Final Thoughts

This is certainly one of my shortest articles clocking in at around 950 words before this closing section. There is no need to get all wordy and silly about this. Ciphers and Algorithms are a constant chess match. New ciphers come out, old ones go away and we need to keep up. Security is so iterative and attacks become smarter every day. The only thing we can do is try to keep up. With the complexity within Workspace ONE, we can do things very elegantly with just a little bit of help and awareness of how it works.