Data Repository failing security scan on port 5444 or 8443
search cancel

Data Repository failing security scan on port 5444 or 8443

book

Article ID: 191757

calendar_today

Updated On: 06-24-2025

Products

CA Performance Management Network Observability

Issue/Introduction

Security scans keep flagging our Data Repositories on port 5444 for HTTPS certificate violation.

Security scans keep flagging our Data Repositories on port 8443 for HTTPS certificate violation.

Qualys scan has reported vulnerabilities on the Data Repository Vertica cluster nodes against SSL HTTPS certificates found against port 8443.

Some of the pertinent information from the scan shows:

TITLE PORT RESULTS SOLUTION
SSL Certificate - Signature Verification Failed Vulnerability 8443 Certificate #0 CN=HttpsService,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US ISSUER:_CN=rootca,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US self signed certificate in certificate chain# Please install a server certificate signed by a trusted third-party Certificate Authority.
SSL Certificate - Subject Common Name Does Not Match Server FQDN 8443 Certificate #0 CN=HttpsService,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US (HttpsService) doesn't resolve# Please install a server certificate whose Subject commonName or subjectAltName matches the server FQDN.
SSL Certificate - Invalid Maximum Validity Date Detected 8443 Certificate #0 CN=HttpsService,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US ISSUER:_CN=rootca,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US  is valid for more than 398 days# Please install a server certificate with recommended maximum validity.
SSL Certificate - Self-Signed Certificate 8443 Certificate #1 CN=rootca,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US  is a self signed certificate.# Please install a server certificate signed by a trusted third-party Certificate Authority.

Environment

All supported releases of Network Observability DX NetOps Performance Management Data Repository Vertica database servers

Cause

Port 5444 is used by the vertica agent.

We ship the vertica agent and it is installed by default but it is only used for the vertica management console (MC) which we do not ship, use or support.

Port 8443 is used by the HTTPService which was introduced in Vertica 23.x and included in NetOps Performance Management 23.3.11+

Resolution

5444 is only used by the Vertica agent and only needed by The Management Console (MC) which is not installed by default.

You can just disable the agent and the scan should pass with no changes in functionality.  

    1. systemctl stop vertica_agent
    2. systemctl disable vertica_agent

Note: This may get turned back on after upgrades of Vertica, so you may need to disable it again after an upgrade.

 

8443 is only used by the HTTPService and is not utilized by Performance Management

You can just disable the service and the scan should pass with no changes in functionality.  

    1. Login to vSQL via the adminTools "Connect to database" option
    2. Issue the below vSQL query:
      • SELECT SET_CONFIG_PARAMETER ('EnableHTTPServer', '0');
    3. Stop and restart the database

Note: This may get turned back on after upgrades of Vertica, so you may need to disable it again after an upgrade.