Security scans keep flagging our Data Repositories on port 5444 for HTTPS certificate violation.
Security scans keep flagging our Data Repositories on port 8443 for HTTPS certificate violation.
Qualys scan has reported vulnerabilities on the Data Repository Vertica cluster nodes against SSL HTTPS certificates found against port 8443.
Some of the pertinent information from the scan shows:
TITLE | PORT | RESULTS | SOLUTION |
SSL Certificate - Signature Verification Failed Vulnerability | 8443 | Certificate #0 CN=HttpsService,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US ISSUER:_CN=rootca,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US self signed certificate in certificate chain# | Please install a server certificate signed by a trusted third-party Certificate Authority. |
SSL Certificate - Subject Common Name Does Not Match Server FQDN | 8443 | Certificate #0 CN=HttpsService,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US (HttpsService) doesn't resolve# | Please install a server certificate whose Subject commonName or subjectAltName matches the server FQDN. |
SSL Certificate - Invalid Maximum Validity Date Detected | 8443 | Certificate #0 CN=HttpsService,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US ISSUER:_CN=rootca,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US is valid for more than 398 days# | Please install a server certificate with recommended maximum validity. |
SSL Certificate - Self-Signed Certificate | 8443 | Certificate #1 CN=rootca,OU=Vertica,O=Micro_Focus,L=Cambridge,ST=Massachusetts,C=US is a self signed certificate.# | Please install a server certificate signed by a trusted third-party Certificate Authority. |
All supported releases of Network Observability DX NetOps Performance Management Data Repository Vertica database servers
Port 5444 is used by the vertica agent.
We ship the vertica agent and it is installed by default but it is only used for the vertica management console (MC) which we do not ship, use or support.
Port 8443 is used by the HTTPService which was introduced in Vertica 23.x and included in NetOps Performance Management 23.3.11+
5444 is only used by the Vertica agent and only needed by The Management Console (MC) which is not installed by default.
You can just disable the agent and the scan should pass with no changes in functionality.
Note: This may get turned back on after upgrades of Vertica, so you may need to disable it again after an upgrade.
8443 is only used by the HTTPService and is not utilized by Performance Management
You can just disable the service and the scan should pass with no changes in functionality.
Note: This may get turned back on after upgrades of Vertica, so you may need to disable it again after an upgrade.