Vulnerability scans showing Spectrum TLS versioning

book

Article ID: 130560

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Security scans revealed Spectrum processes are not TLS version compliant.  How can Spectrum processes be configured to not use TLSv1 or TLSv1.1

Cause

CORBA communication is not configured for specific TLS version

Environment

Release:
Component: SPCCSS

Resolution

This is resolved in CA Spectrum 10.3 and above.  To resolve this in 10.1.x and 10.2.x, edit the $SPECROOT/.corbarc and $SPECROOT/.jcorbarc and add the following entries to the "#Security related settings" section:


vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only

For example, it will look like this:

# Security related settings
#
vbroker.security.disable=false
vbroker.security.transport.protocol=TLSv1
vbroker.security.secureTransport=true
vbroker.security.server.transport=ALL
vbroker.security.alwaysSecure=false
vbroker.security.requireAuthentication=false
vbroker.security.peerAuthenticationMode=NONE
vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only

Once you have made the changes, restart the SpectroSERVER and processd.