Port 8443 SSL Certificate Cannot Be Trusted

book

Article ID: 195039

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

“Port 8443 SSL Certificate Cannot Be Trusted”

a. A vulnerability scanner determined that CA PAM port 8443 SSL certificate cannot be trusted
b.The issue can be simulated when you try to access https://CAPAM_IP:8443/ 



Cause

Cluster Deployment Requirements - We need the following ports to be open for cluster deployment.

Clustered appliance: Within a site, these ports are required: TCP/443, 8443 (HTTPS); TCP/3307, 13307 (MySQL); TCP/5900 (Hazelcast); TCP/7900 (JGroups); TCP/7901 (JGroups heartbeat). Between sites, only 443, 8443, and 3307 are required. For external user access, only 443 is required. (For a standalone appliance, only TCP/443 is necessary.)

Port 8443 is used internally for communication between the clustered nodes and this uses a self-signed certificate, which can't be externally trusted as any other SSL certificate, but during a vulnerability scan, this SSL certificate is visible / it is accessible from anywhere.

Environment

Release : 3.2.x, 3.3.1, 3.3.2, 3.3.3

Component: PRIVILEGED ACCESS MANAGEMENT

Resolution

This is a known issue fixed in 3.4 release of the product.