Symantec Privileged Access Management

  • Private Community

  • 1.  Does PAM 3.1.1 supports Diffie-Hellman parameter 2048 or more?

    Posted Mar 02, 2018 04:53 AM

    Hi there,

    A client using SAM/PIM 12.92 is having non-compliance troubles with Diffie-Hellman key lenght:

    The server's Diffie-Hellman parameter is too small.
    Non-compliant with NIST, HIPAA and PCI DSS

     

    We've tried to change JBoss and Tomcat configuration.

    This changes increased the security ranking, but made the server unavailable.

     

    Is this issue solvable by moving to PAM 3.1.1?

     

    Thanks for helping me.

     

    Regards,

    Alessia



  • 2.  Re: Does PAM 3.1.1 supports Diffie-Hellman parameter 2048 or more?
    Best Answer

    Broadcom Employee
    Posted Mar 02, 2018 11:00 AM

    Hello Alessia,

     

    PAM 3.1.1 has an upper limit of 2048 inclusive. So, I believe the answer is yes, it can do exactly 2048, but not higher.

     

    Here is our documented Known Issue that describes what we support:

    "Java only supports Diffie Hellman (DH) Key Agreement for key sizes that are multiples of 64 and in the range from 512 to 2048 (inclusive)."

     

    Known Issues - CA Privileged Access Manager - 3.1.1 - CA Technologies Documentation 

     

    Regards,

    Christian Lutz

    Support Engineer

    CA Technologies - North America



  • 3.  Re: Does PAM 3.1.1 supports Diffie-Hellman parameter 2048 or more?

    Posted Apr 20, 2018 04:44 AM

    Tested on CA PAM 2.8.4 Hotfix 04

    Not working with SSH DH size 2048.

     

    Tested on CA PAM version 3.1.1 without any hotfix

    It's working perfectly with SSH DH size 2048.