When attempting to access the SEP Management GUI, I got an error in my browser that said “ssl_error_weak_server_ephemeral_dh_key”. This is caused by weak ciphers which have been deprecated by browser updates.
To resolve this you have to modify the SEP server's "server.xml" file to exclude the weak ciphers and include newer and stronger ciphers, as well as replace the Java Cryptography Extension (JCE) files to support the stronger ciphers.
- Login to the SEP server and stop the Symantec Endpoint Protection WebService.
- Go to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf and open server.xml.
- In the server.xml file, find the section with cipher= value under <Service name=”WebService”> and replace the current ciphers listed in the file with the following: ciphers="TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- Download the new JCE files from Java’s website here.
- Unzip and save those files to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre\lib\security. Overwrite the existing files in prompted.
- Start the Symantec Endpoint Protection WebService back up, and you should be all set.