How to disable Secure CORBA on the SS after seeing ports in a vulnerability scan
search cancel

How to disable Secure CORBA on the SS after seeing ports in a vulnerability scan

book

Article ID: 112340

calendar_today

Updated On: 02-07-2025

Products

Spectrum Network Observability

Issue/Introduction

The following messages are seen in the VNM.OUT/Spectrum Control Panel:

ERROR TRACE at CsCorbaMgr.cc(1254): Failed to connect to CORBA Naming Service on corbaloc::SERVERNAME:14006/NameService, will retry in 5 seconds.

You may also see:

ERROR TRACE at CsCorbaMgr.cc(1260): Could not create a root naming context. Maximum number of retries exceeded.
CORBA exception: Exception: CORBA::NO_PERMISSION
    Minor: 1447174771 
    Completion Status: NO

Cause

Secure CORBA ships with self signed certificates which some do not wish to use and may be flagged.  If the option is to not use Secure CORBA, you can easily disable it.

Resolution

1.  Check the following line in the $SPECROOT/.jcorbarc file which must be false:

vbroker.security.alwaysSecure=false

Also in the .corbarc in the same location, the line must also be false:

vbroker.security.alwaysSecure=false

2.  Review the $SPECROOT/bin/VBNS/NAMINGSERVICE.OUT.  If you see this message in regards to "Anonymous ciphers" then you have a policy that blocks them:

org.omg.CORBA.INITIALIZE: Couldn't not resolve ServerManager:
org.omg.CORBA.ORBPackage.InvalidName: org.omg.CORBA.COMM_FAILURE:
org.omg.CORBA.BAD_PARAM: Anonymous Ciphers must be enabledif No certificates are present 

You will need to either update your policy to allow anonymous ciphers or disable the ability to use secure corba. If you must use secure CORBA then you must update your policy to allow for anonymous ciphers. 

To disable the ability to use secure CORBA, please do the following:

a.  Edit BOTH the $SPECROOT/.corbarc and the $SPECROOT/.jcorbarc and change this to true:


vbroker.security.disable=false 
to true:
vbroker.security.disable=true

Also verify this is false.  If it is true, change it to false:


vbroker.security.alwaysSecure=true
to false:
vbroker.security.alwaysSecure=false


After changes are made the SpectroSERVER must be shutdown, and processd restarted.

For details on restarting processd, please reference the "Setting Up a Distributed SpectroSERVER Environment" section of the documentation.