Port 8443 SSL Certificate Cannot Be Trusted

Article Id: 195039

Status: Published

Updated On: 27-07-2020 21:11

Products:

CA Privileged Access Manager (PAM) , CA Privileged Access Manager - Cloakware Password Authority (PA) , PAM SAFENET LUNA HSM , CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction:

“Port 8443 SSL Certificate Cannot Be Trusted”

a. A vulnerability scanner determined that CA PAM port 8443 SSL certificate cannot be trusted
b.The issue can be simulated when you try to access https://CAPAM_IP:8443/

Cause:

Cluster Deployment Requirements - We need the following ports to be open for cluster deployment.

Clustered appliance: Within a site, these ports are required: TCP/443, 8443 (HTTPS); TCP/3307, 13307 (MySQL); TCP/5900 (Hazelcast); TCP/7900 (JGroups); TCP/7901 (JGroups heartbeat). Between sites, only 443, 8443, and 3307 are required. For external user access, only 443 is required. (For a standalone appliance, only TCP/443 is necessary.)

Port 8443 is used internally for communication between the clustered nodes and this uses a self-signed certificate, which can't be externally trusted as any other SSL certificate, but during a vulnerability scan, this SSL certificate is visible / it is accessible from anywhere.

Environment:

Release : 3.2.x, 3.3.1, 3.3.2, 3.3.3

Component: PRIVILEGED ACCESS MANAGEMENT

Resolution:

This is a known issue fixed in 3.4 release of the product.