When installing ControlSuite, there is a requirement to install at least one Security Framework Server (SFS). The SFS makes it possible for ControlSuite services to securely find, communicate, and share data with each other. For more details on SFS, please see this link.
The Cassandra database and its ciphers:
Security Framework runs on a Distributed Database (DDB). Currently this DDB requires the following cipher suite to be enabled TLS_RSA_WITH_AES_256_CBC_ SHA when installing and using ControlSuite. We have now seen that some of our customers have deemed this cipher insecure. Now we have a method to configure ControlSuite not to use this cipher. At present this method is a workaround for when the cipher cannot be used, and we plan to resolve this issue in a later version of ControlSuite.
If you have the TLS_RSA_WITH_AES_256_CBC_SHA cipher suite enabled and wish to disable it after ControlSuite is installed and configured. (Method 1)
With this method, you will see no issues when installing and configuring ControlSuite, so the goal is to disable its use by ControlSuite during its day to day operation.
- Stop the Security Framework Service Application Pool in IIS Manager.
- Stop the Kofax DDB Cassandra Service.
- Using a text editor open the “Cassandra.yaml” file found in “%programfiles%\Kofax\Shared Services\Cassandra\conf” & comment out both cipher suite lines and save.
- Start the Kofax DDB Cassandra Service.
- Start the Security Framework Service Application Pool.
- Run Configuration Assistant.
- Navigate to the “Authorization & Security” section & log on to the Security Framework with admin credentials
- Go to the “CS Enrollment” section & un-enroll and re-enroll ALL services.
- Once this is successful, you can then disable the cipher.
If the TLS_RSA_WITH_AES_256_CBC_SHA cipher suite is not enabled. Installing ControlSuite without the cipher suite enabled. (Method 2)
The first challenge is to install ControlSuite without this cipher suite. By default, ControlSuite will not let the “Installation Assistant” proceed beyond the “Prerequisite” check stage if this cipher in not enabled, therefore this check will need to be disabled.
- Navigate to the extracted Installation Assistant folder structure.
- Using a text editor, open the “ControlSuite.prerequisites.json” file which can be found in the “Configure” folder.
- Before making any changes, save a copy/backup this file.
4. Remove the following section as seen in the screenshot and save.
5. Now you can run the Install Assistant and there will now be no check for this Cipher
6. The SFS element of ControlSuite will now install successfully.
Configure ControlSuite without the cipher suite enabled
By default, if this cipher suite is not enabled, Cassandra will fail to be configured during the “Configuration Assistant” stage. Reconfiguration is needed for configuration to complete.
- On the “Authorization and Security” section of the “Configuration Assistant”, input the details as normal and configure your datacenter.
- Click “Apply” and the “Initializing Security Framework” stages will start completing until the process hangs on “Setup Cassandra”; this will remain at this stage.
3. While leaving this process running in the background, navigate to “%programfiles%\Kofax\Shared Services\Cassandra\conf” and create a backup of the “Cassandra.yaml” file. Please ignore the “Cassandra,yaml.original” file, this is not needed for this KB.
4. Using a text editor open the “Cassandra.yaml” and comment out both cipher suite lines before then saving.
5. Restart the “Kofax DDB Cassandra Service”.
6. Navigate back to the still running “Setup Cassandra” task in “Configuration Assistant” and within a matter of moment the entire “Initizing Security Framework” section should successfully complete.