Poodle Vulnerability and Beast Vulnerability? Remediation Steps to Secure Apache Tomcat used by CA Service Catalog if configured to support SSL (HTTPs)

Document ID : KB000044403
Last Modified Date : 14/02/2018
Show Technical Document Details

 

Problem: 

a Browser Exploit Against SSL/TLS (BEAST) vulnerability can be detected by using a freeware tool called nmap. The command used is: 
nmap --script ssl-cert,ssl-enum-ciphers nnn.nnn.nnn.nnn -p 8443 

Where "nnn.nnn.nnn.nnn" is the IP address of the CA Service Catalog server. 

Environment:  

CA Service Catalog  12.7 , 12.8, 12.9 , 14.1  with SSL enabled 

Cause: 

 This vulnerability exists in all CBC based ciphers used in SSL V3/TLS 1.0  .   There is a  link about this vulnerability  :

 

 https://blogs.msdn.microsoft.com/kaushal/2011/10/03/taming-the-beast-browser-exploit-against-ssltls/ 

 Resolution:

NOTE: These steps need to be followed on each CA Service Catalog server system

1. Login to the server on which CA Service Catalog has been installed

2. Stop the following service:

a. CA Service Catalog for version 12.8+

b. CA Service View for version 12.7

3. Open the following file in a text editor %USM_HOME%/view/conf/server.xml

Search for the Connector tag that contains the text “scheme="https"

Eg:

<Connector port="8443" enableLookups="false" tomcatAuthentication="false" maxHttpHeaderSize="8192" maxThreads="400" minSpareThreads="25" maxSpareThreads="100" debug="0" connectionTimeout="15000" disableUploadTimeout="true" compression="on" compressionMinSize="2048" compressableMimeType="text/html,text/plain,text/xml,text/css,text/javascript,image/png,image/gif,image/jpeg"  scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\CA\Service Catalog\.keystore" keyAlias="service_view"/>

Add the following attribute to make sure that SSL V3 is not used; sslEnabledProtocols="TLSv1.2,TLSv1.1" After adding the new attribute, the connector definition should look like:

<Connector port="8443" enableLookups="false" tomcatAuthentication="false" maxHttpHeaderSize="8192" maxThreads="400" minSpareThreads="25" maxSpareThreads="100" debug="0" connectionTimeout="15000" disableUploadTimeout="true" compression="on" compressionMinSize="2048" compressableMimeType="text/html,text/plain,text/xml,text/css,text/javascript,image/png,image/gif,image/jpeg "scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"keystoreFile="C:\Program Files (x86)\CA\Service Catalog\.keystore" keyAlias="service_view"/>

 

Save the file Server.xml

 

4. Start windows service that was stopped in step 2

 

Reference: http://wiki.apache.org/tomcat/Security/POODLE

 

Additional Information :

As PAM communicate with Catalog using TLSV1, following changes should be made at PAM side for communication to work.

For Windows: In c2osvcw.conf:

wrapper.java.additional.15=-Dhttps.protocols=TLSv1.1,TLSv1.2

For UNIX: c2osvrd.sh

SVRDEFINES="

-Duuid="$UUID" \

-Djava.awt.headless=true \

-Dc2oHome="$C2OHOME" \

-Djavax.xml.xpath.XPathFactory:xmlPathFactory="com.sun.org.apache.xpath.internal.jaxp.XPathFactoryImpl" \

-Djava.net.preferIPv4Stack="true" \ -Dfile.encoding="utf-8" \ -DJAVA_HOME="$JAVA_HOME" \

-Djava.library.path="$C2OHOME/ext-lib" \

-Djavax.xml.soap.SOAPConnectionFactory="com.optinuity.c2o.service.soap.connection.factory.ITPAMSoapConnectionFactory" \

-Duser.language="en" \

-Duser.country="US""

 

Change the last line to

 

-Duser.country="US" \

then add -Dhttps.protocols="TLSv1.1,TLSv1.2""

 

 

after above , it needs to recycle PAM service to have it take effect .

 

Note : 

The c2osvcw.conf file for Windows is located in /PAM/server/c2o/bin/

The c2osvrd.sh file for *NIX is located in /usr/local/CA/PAM/server/c2o/