Vulnerability scans showing Spectrum TLS versioning
Article ID: 130560
Updated On:
Products
CA Spectrum
Issue/Introduction
Security scans revealed Spectrum processes are not TLS version compliant. How can Spectrum processes be configured to not use TLSv1 or TLSv1.1
Environment
Release:
Component: SPCCSS
Component: SPCCSS
Cause
CORBA communication is not configured for specific TLS version
Resolution
This is resolved in CA Spectrum 10.3 and above. To resolve this in 10.1.x and 10.2.x, edit the $SPECROOT/.corbarc and $SPECROOT/.jcorbarc and add the following entries to the "#Security related settings" section:
vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only
For example, it will look like this:
# Security related settings
#
vbroker.security.disable=false
vbroker.security.transport.protocol=TLSv1
vbroker.security.secureTransport=true
vbroker.security.server.transport=ALL
vbroker.security.alwaysSecure=false
vbroker.security.requireAuthentication=false
vbroker.security.peerAuthenticationMode=NONE
vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only
Once you have made the changes, restart the SpectroSERVER and processd.
vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only
For example, it will look like this:
# Security related settings
#
vbroker.security.disable=false
vbroker.security.transport.protocol=TLSv1
vbroker.security.secureTransport=true
vbroker.security.server.transport=ALL
vbroker.security.alwaysSecure=false
vbroker.security.requireAuthentication=false
vbroker.security.peerAuthenticationMode=NONE
vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only
Once you have made the changes, restart the SpectroSERVER and processd.
Feedback
Yes
No
Powered by
