Product:
Planning Analytics 2.0.9.19
Microsoft Windows 2016 server
Issue:
The security scan program reports that the port 12345 is not secure. Cause ssl-cve-2016-2183-sweet32 issue.
Possible solution:
Try to implement this limit in the ciphers that TM1 internally can use for communications.
Login to the PAL (planning analytics) server as admin.
Stop TM1 admin service and all the other TM1 instance services.
Open Cognos Configuration for TM1.
Add below to Supported ciphersuites:
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Then open each TM1S.CFG file for each instance, and add below last in the file:
tlsCipherList=TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Save the file.
Start the TM1 Admin service first, and then the other TM1 instances one by one.
Check that you can login.
Wait and see if the security scan report a problem less.
More Information:
https://www.rapid7.com/db/vulnerabilities/ssl-cve-2016-2183-sweet32/
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
https://www.ibm.com/docs/en/planning-analytics/2.0.0?topic=pitf-tlscipherlist