Vulnerability scans showing Spectrum TLS versioning
Article ID: 130560
Updated On:
Products
CA Spectrum
Issue/Introduction
Security scans revealed Spectrum processes are not TLS version compliant. How can Spectrum processes be configured to not use TLSv1 or TLSv1.1
Cause
CORBA communication is not configured for specific TLS version
Environment
Release:
Component: SPCCSS
Component: SPCCSS
Resolution
This is resolved in CA Spectrum 10.3 and above. To resolve this in 10.1.x and 10.2.x, edit the $SPECROOT/.corbarc and $SPECROOT/.jcorbarc and add the following entries to the "#Security related settings" section:
vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only
For example, it will look like this:
# Security related settings
#
vbroker.security.disable=false
vbroker.security.transport.protocol=TLSv1
vbroker.security.secureTransport=true
vbroker.security.server.transport=ALL
vbroker.security.alwaysSecure=false
vbroker.security.requireAuthentication=false
vbroker.security.peerAuthenticationMode=NONE
vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only
Once you have made the changes, restart the SpectroSERVER and processd.
vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only
For example, it will look like this:
# Security related settings
#
vbroker.security.disable=false
vbroker.security.transport.protocol=TLSv1
vbroker.security.secureTransport=true
vbroker.security.server.transport=ALL
vbroker.security.alwaysSecure=false
vbroker.security.requireAuthentication=false
vbroker.security.peerAuthenticationMode=NONE
vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only
Once you have made the changes, restart the SpectroSERVER and processd.
Feedback
Yes
No
Powered by
