ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Port 8443 SSL Certificate Cannot Be Trusted

book

Article ID: 195039

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

“Port 8443 SSL Certificate Cannot Be Trusted”

a. A vulnerability scanner determined that CA PAM port 8443 SSL certificate cannot be trusted
b.The issue can be simulated when you try to access https://CAPAM_IP:8443/ 



c. When [Advanced] button in clicked and proceed to the next page ERR_BAD_SSL_CLIENT_AUTH_CERT is shown.

Cause

Cluster Deployment Requirements - We need the following ports to be open for cluster deployment.

Clustered appliance: Within a site, these ports are required: TCP/443, 8443 (HTTPS); TCP/3307, 13307 (MySQL); TCP/5900 (Hazelcast); TCP/7900 (JGroups); TCP/7901 (JGroups heartbeat). Between sites, only 443, 8443, and 3307 are required. For external user access, only 443 is required. (For a standalone appliance, only TCP/443 is necessary.)

Port 8443 is used internally for communication between the clustered nodes and this uses a self-signed certificate. The ERR_BAD_SSL_CLIENT_AUTH_CERT means communication is rejected due to the Browser doesn't have client certificate. Only PAM nodes have the required certificate to establish communication.

Environment

Release : 3.4.x, 4.0.x

Component: PRIVILEGED ACCESS MANAGEMENT

Resolution

Nessus scan shows vulnerability but it doesn't mean PAM is vulnerable to any external access via this 8443 port.

Additional Information

Previously in PAM 3.3.x there was potential access to get into the PAM login page on this 8843 port. However, this vulnerability had been fixed in 3.4.x onward and this 8443 port is now dedicated for PAM cluster communication.

Attachments