Vulnerability scans showing Spectrum TLS versioning
search cancel

Vulnerability scans showing Spectrum TLS versioning

book

Article ID: 130560

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Security scans revealed Spectrum processes are not TLS version compliant.  How can Spectrum processes be configured to not use TLSv1 or TLSv1.1

Environment

Release:
Component: SPCCSS

Cause

CORBA communication is not configured for specific TLS version

Resolution

This is resolved in CA Spectrum 10.3 and above.  To resolve this in 10.1.x and 10.2.x, edit the $SPECROOT/.corbarc and $SPECROOT/.jcorbarc and add the following entries to the "#Security related settings" section:


vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only

For example, it will look like this:

# Security related settings
#
vbroker.security.disable=false
vbroker.security.transport.protocol=TLSv1
vbroker.security.secureTransport=true
vbroker.security.server.transport=ALL
vbroker.security.alwaysSecure=false
vbroker.security.requireAuthentication=false
vbroker.security.peerAuthenticationMode=NONE
vbroker.security.client.socket.enabledProtocols=TLS_Version_1_2_Only
vbroker.security.server.socket.enabledProtocols=TLS_Version_1_2_Only

Once you have made the changes, restart the SpectroSERVER and processd.