TIM and SSLv3 Poodle Vulnerability

Document ID : KB000028443
Last Modified Date : 14/02/2018
Show Technical Document Details

 Issue:

 Recently, RedHat has announced a security vulnerability in SSLv3 protocol, commonly referred to as ‘POODLE’. See the following link for information:

 https://access.redhat.com/articles/1232123

 CA has determined TIM Admin UI application (TIM’s webserver) is impacted with this vulnerability. Additionally, communication between the APM CE (CEM) TIM appliance software and the APM Enterprise Manager is affected if SSL communication is enabled between the two components.

 Versions affected:  All APM 9.x with CEM TIMsoft or TIM as Software.

 Workaround(fix for Poodle):

 Check & Disable SSLv3 on the TIM’s webserver with the following steps:

1)  Run the following command on the TIM machine to see the successful handshake with SSL 3.0 protocol.

        openssl s_client -connect <<TIM_IP>>:443 -ssl3

2)

     2) Open the file - /etc/httpd/conf.d/ssl.conf and add the following entry to disable SSL 2.0 & 3.0. Make a backup of this file in case of any issue in recovery. 

 

             SSLProtocol All -SSLv2 -SSLv3    

 

    3) Run the following commands to check that the configuration changes are correct and restart the httpd:

 

       service httpd configtest

 

       service httpd restart     

 

4) Run the following command in TIM machine and the handshake failure error for SSL 3.0 protocol appears:

        openssl s_client -connect <<TIM_IP>>:443 –ssl3

5)   Verify TIM is receiving requests from EM/TESS by running the following command in TIM environment:

      tail -f /etc/httpd/logs/access_log

If SSL communication is enabled between the TIM and EM/TESS, then do the additional step – “Configure the APM Enterprise Manager to use TLS for communicating to the TIM software.

 

To configure the APM Enterprise Manager to use TLS :

 

1)  Add the following Java system property to the EM LAX file and restart the EM.  This property should be set on the MOM and TIM Collection Service EM.  CA strongly suggests making this change on all Enterprise Managers to prevent issues if the TIM Collection Service needs to be moved between EMs in the cluster.

       -Dhttps.protocols=TLSv1

Sample snippet:

lax.nl.java.option.additional=-Xms10240m -Xmx10240m -Djava.awt.headless=false -XX:MaxPermSize=256m -Dmail.mime.charset=UTF-8 -Dorg.owasp.esapi.resources=./config/esapi  -Xss512k -Dhttps.protocols=TLSv1

2) After the bouncing the EM (TCS collector one), verify TIM is receiving requests from EM/TESS by running the following command in TIM environment:

        tail -f /etc/httpd/logs/ssl_access_log