Data Collector fails vulnerability scan on port 8601
search cancel

Data Collector fails vulnerability scan on port 8601

book

Article ID: 138898

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

We are getting failed scans on ssh for port 8601 on the Data Collector (DC) in DX NetOps Performance Management.

We are getting failed scans on ssh for port 8501 on the Data Aggregator (DA) in DX NetOps Performance Management.

Environment

All supported DX NetOps Performance Management releases

Cause

Security is reporting that there is a vulnerability on port 8501 on the DC and port 8601 on the DA.

By default karaf used by both servers uses ssh arcfour256.

Resolution

The Data Collector and Data Aggregators install the high encryption pack, so now aes256 is available as an encryption method.

To enable it edit the org.apache.karaf.shell.cfg file on both DA and DC. Using default paths they'd be found in:

  • Data Aggregator path:
    • /opt/IMDataAggregator/apache-karaf-<ver>/etc/
  • Data Collector path:
    • /opt/IMDataCollector/apache-karaf-<ver>/etc/

In the file add the following line:

ciphers=aes256-ctr,aes128-ctr

Restart all services on both systems. To do so for standalone DA environments:

  1. Data Aggregator
    1. Stop the dadaemon service
      • systemctl stop dadaemon
    2. Stop the activemq service
      • systemctl stop activemq
    3. Start the dadaemon service (should restart the activemq service)
      • systemctl start dadaemon
    4. Run status commands to verify each is running:
      • systemctl status activemq
      • systemctl status dadaemon
  2. Data Collector:
    1. Stop the dcmd service
      • systemctl stop dcmd
    2. Stop the activemq service
      • systemctl stop activemq
    3. Start the dcmd service (should restart the activemq service)
      • systemctl start dcmd
    4. Run status commands to verify each is running:
      • systemctl status activemq
      • systemctl status dcmd

In a Fault Tolerant Data Aggregator environment:

  1. Set the Active Data Aggregator to Maintenance to stop it.
      • /opt/IMDataAggregator/scripts/dadaemon maintenance
    2. The Inactive Data Aggregator is already down, not running.
      • Seeing the Active DA go down will trigger the proxy consul to start the Inactive DA and it's dadaemon and activemq services.
    3. Set the DA now in Maintenance to Active.
      1. /opt/IMDataAggregator/scripts/dadaemon activate
      2. It becomes Inactive in the UI as the other DA is Active at this point.
    4. Can reverse the process once more to reset DA Active/Inactive states. Can also leave it as is until next fail over cycle switches them.
  2. Data Collector restart is same as standalone DA steps.
    1. Stop the dcmd service
      • systemctl stop dcmd
    2. Stop the activemq service
      • systemctl stop activemq
    3. Start the dcmd service (should restart the activemq service)
      • systemctl start dcmd
    4. Run status commands to verify each is running:
      • systemctl status activemq
      • systemctl status dcmd

Additional Information

This change will need to be made after each upgrade of the product.

This file is backed up to */backup/apache-karaf/etc before we lay down a new version.  But we don't restore the file.

Powered by Wolken Software