How to disable Secure CORBA on the SS after seeing ports in a vulnerability scan
search cancel

How to disable Secure CORBA on the SS after seeing ports in a vulnerability scan

book

Article ID: 112340

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

The following messages are seen in the VNM.OUT/Spectrum Control Panel:

ERROR TRACE at CsCorbaMgr.cc(1254): Failed to connect to CORBA Naming Service on corbaloc::SERVERNAME:14006/NameService, will retry in 5 seconds.

You may also see:

ERROR TRACE at CsCorbaMgr.cc(1260): Could not create a root naming context. Maximum number of retries exceeded.
CORBA exception: Exception: CORBA::NO_PERMISSION
    Minor: 1447174771 
    Completion Status: NO

Environment

Release: MSPSPD99000-10.3-Spectrum-Device Based Suite-MSP
Component:

Cause

This is caused by improperly configured CORBA files or a policy that blocks anonymous ciphers.  Spectrum 10.2.0 and above ships with the ability to enable secure corba but uses anonymous ciphers.  If anonymous ciphers are blocked, you cannot start the Naming Service because the ciphers are not allowed.

Resolution

1.  Check the following line in the $SPECROOT/.jcorbarc file which must be false:

vbroker.security.alwaysSecure=false

Also in the .corbarc in the same location, the line must also be false:

vbroker.security.alwaysSecure=false

2.  Review the $SPECROOT/bin/VBNS/NAMINGSERVICE.OUT.  If you see this message in regards to "Anonymous ciphers" then you have a policy that blocks them:

org.omg.CORBA.INITIALIZE: Couldn't not resolve ServerManager:
org.omg.CORBA.ORBPackage.InvalidName: org.omg.CORBA.COMM_FAILURE:
org.omg.CORBA.BAD_PARAM: Anonymous Ciphers must be enabledif No certificates are present 

You will need to either update your policy to allow anonymous ciphers or disable the ability to use secure corba. If you must use secure CORBA then you must update your policy to allow for anonymous ciphers. 

To disable the ability to use secure CORBA, please do the following:

a.  Edit BOTH the $SPECROOT/.corbarc and the $SPECROOT/.jcorbarc and change this to true:


vbroker.security.disable=false 
to true:
vbroker.security.disable=true

Also verify this is false.  If it is true, change it to false:


vbroker.security.alwaysSecure=true
to false:
vbroker.security.alwaysSecure=false


After changes are made the SpectroSERVER must be shutdown, and processd restarted.

For details on restarting processd, please reference the "Setting Up a Distributed SpectroSERVER Environment" section of the documentation.

Additional Information

Enhanced Functionality to utilize secure ciphers is in DX NetOps Spectrum 21.2.1 onwards - Secure CORBA Enhancements.  See here: https://knowledge.broadcom.com/external/article?articleId=189064

 

How to ENABLE secure CORBA: https://knowledge.broadcom.com/external/article?articleId=72596

Powered by Wolken Software