commvault.com commvault.com
Solved

Changing the cipher used to generate client private keys for client certificates

  • 15 March 2022
  • 3 replies
  • 290 views
Gergely (Sydney)
Rank
Userlevel 1
Badge +6

Hi All,

We are planning to change the cipher used to generate client private keys for client certificates to AES256-CBC but documentation says the Category is ‘CommServDB.GxGlobalParam’ for the key and the Additional settings doco (and the autofill when trying to add it) say it is ‘Session’.

Does someone know which one is it?

https://documentation.commvault.com/commvault/v11_sp20/article?p=136093.htm

https://documentation.commvault.com/additionalsetting/details?name=%22sPriKeyEncCipher%22&id=7965

Thanks

icon

Best answer by Stuart Painter 15 March 2022, 08:15

View original
If you have a question or comment, please create a topic

3 replies

S
Rank
Userlevel 7
Badge +15

Hi @Gergely (Sydney) 

Thanks for raising this query, I have raised this with Development and had some confirmations on correct values and where to apply.

The Additional Setting link sPriKeyEncCipher is correct, this needs to be placed under Session category.

Please note, you will need to add this setting to the Commserve and each client that is required to use the specified cipher.

On each client next certificate refresh, the new cipher will be used.

I will request Documentation is updated to show the correct values.

Thanks,

Stuart

Customer Support
S
Rank
Userlevel 7
Badge +15

Hi @Gergely (Sydney) 

On checking this further, the FR26 documentation lists the correct values, so this might just be an issue on earlier versions, but I’ll follow up with Documentation team to get those cleaned up:


FR26 - Changing the Ciphers Used to Generate Client Private Keys

Property Value
Setting Name sPriKeyEncCipher
Category Session
Type STRING
Values

3des (uses Triple DES in CBC mode, also known as 3DES CBC)

aes128 (uses 128-bit Advanced Encryption Standard in CBC mode, also known as AES 128 CBC)

aes256 (uses 256-bit Advanced Encryption Standard in CBC mode, also known as AES 256 CBC)

 

Thanks,

Stuart

Customer Support
Gergely (Sydney)
Rank
Userlevel 1
Badge +6

Thanks, it seems it was recently updated, FR24 as well, didn’t check the other versions.

Now it has the “Before you begin” section added, so we need to add the nForceSHA256 additional setting as well?

Terms & ConditionsCookie settings