Diffie-Hellman key error with Firefox and Chrome browsers connecting to CA SSO Administrative UI

Document ID : KB000032935
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

When using the Chrome or Firefox web browsers to connect to the CA SSO Administrative UI (WAMUI) the connection fails and the browsers return Diffie-Hellman key errors.

Examples:

---------------------------------------------------------------------------------------------------------------------------------------------

CHROME:

Error:

Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

Hide details

This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to set up a secure connection but, due to a disastrous misconfiguration, the connection wouldn't be secure at all!
In this case the server needs to be fixed. Google Chrome won't use insecure connections in order to protect your privacy.
Learn more about this problem.

---------------------------------------------------------------------------------------------------------------------------------------------

FIREFOX:

An error occurred during a connection to <hostName.domain.com>:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

---------------------------------------------------------------------------------------------------------------------------------------------

These Diffie-Hellman errors do not occur with Internet Explorer.


This issue is occurring in the default configuration of the underlying JBOSS application server,
which is bundled with the WAMUI as the 'WAMUI-Prereq".


Instructions:

To resolve this JBOSS 'server.xml' will need to be manually modified.

1) Logon to the host running the Administrative UI.

2) Stop the CA SSO Administrative UI

  • Stop the embedded JBOSS Server

1.       Logon to the host running the WAMUI

Unix: 

2.       Navigate to:

 <WAMUI Home>/CA/siteminder/adminui/bin/administrative_ui_install

3.       Run the following command:

shutdown.sh

Windows:

2. Load services.msc

3. Stop the "SiteMinder AdminUI" Service

 

3) Browse to the 'server.xml' file.

Default Path: siteminder/adminui/server/default/deploy/jbossweb.sar/server.xml

4) Copy the 'server.xml' and name the copy 'server.xml.<date>.BAK

5) Open the 'server.xml' file with a text editor.

6) Modify the "SSL Connector" section.

 

OLD VALUE:

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" connectionTimeout="20000" emptySessionPath="true" enableLookups="true" keyAlias="tomcat" keystoreFile="jsse.keystore" keystorePass="changeit" keystoreType="jks" maxHttpHeaderSize="10240" maxPostSize="0" maxSpareThreads="75" minSpareThreads="5" port="8443" protocol="HTTP/1.1" scheme="https" secure="true"/>


NEW VALUE:

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" connectionTimeout="20000" emptySessionPath="true" enableLookups="true" keyAlias="tomcat" keystoreFile="jsse.keystore" keystorePass="changeit" keystoreType="jks" maxHttpHeaderSize="10240" maxPostSize="0" maxSpareThreads="75" minSpareThreads="5" port="8443" protocol="HTTP/1.1" scheme="https" secure="true"/> 

 

7) Save the changes

8) Start the CA SSO Admin UI

9) Connect the Admin UI using either the Firefox or Chrome web browsers.

Now it does not show that error anymore. Above error is because the RootCA is not trusted.

If you click on "Advanced" link, you can proceed to the site.

Or, you can import the RootCA certificate to trust it and not get this warning ("Your connection is not private.").

 

If you click on the PADLOCK icon in the Address Bar(where the https is crossed out) then you will get information which protocol is currently in use.

 

Here you can see that this connection uses TLS 1.0.

 

Additional Information:

Tech Tip - CA Single Sign-On:Administrative UI: Does the standalone Admin UI installation support TLSv1.2 ?