Remediation Steps to Secure Apache Tomcat used by CA Service Catalog if configured to support SSL (HTTPs)

Document ID : KB000029107
Last Modified Date : 14/02/2018
Show Technical Document Details

Poodle Vulnerability – Remediation Steps to Secure Apache Tomcat used by CA Service Catalog if configured to support SSL (HTTPs)

Versions Applicable: 12.7, 12.8, 12.9, 14.1

1. NOTE: These steps need to be followed on each CA Service Catalog server system

2. Login to the server on which CA Service Catalog has been installed

3. Stop the following service:

a. CA Service Catalog for version 12.8+

b. CA Service View for version 12.7

4. Open the following file in a text editor

%USM_HOME%/view/conf/server.xml

Search for the Connector tag that contains the text “scheme="https"

Eg:

<Connector port="8443" enableLookups="false" tomcatAuthentication="false" maxHttpHeaderSize="8192" maxThreads="400" minSpareThreads="25" maxSpareThreads="100" debug="0" connectionTimeout="15000" disableUploadTimeout="true" compression="on" compressionMinSize="2048" compressableMimeType="text/html,text/plain,text/xml,text/css,text/javascript,image/png,image/gif,image/jpeg" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\CA\Service Catalog\.keystore" keyAlias="service_view"/>

Add the following attribute to make sure that SSL V3 is not used; sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" After adding the new attribute, the connector definition should look like:

<Connector port="8443" enableLookups="false" tomcatAuthentication="false" maxHttpHeaderSize="8192" maxThreads="400" minSpareThreads="25" maxSpareThreads="100" debug="0" connectionTimeout="15000" disableUploadTimeout="true" compression="on" compressionMinSize="2048" compressableMimeType="text/html,text/plain,text/xml,text/css,text/javascript,image/png,image/gif,image/jpeg" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" keystoreFile="C:\Program Files (x86)\CA\Service Catalog\.keystore" keyAlias="service_view"/>

Save the file Server.xml

5. Start windows service that was stopped in step 3

Reference: http://wiki.apache.org/tomcat/Security/POODLE

File Attachments:
TEC1155961.zip