Port 8443 SSL Certificate Cannot Be Trusted
search cancel

Port 8443 SSL Certificate Cannot Be Trusted

book

Article ID: 195039

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

“Port 8443 SSL Certificate Cannot Be Trusted”

a. A vulnerability scanner determined that CA PAM port 8443 SSL certificate cannot be trusted
b.The issue can be simulated when you try to access https://PAMIP:8443/ 



c. When [Advanced] button in clicked and proceed to the next page ERR_BAD_SSL_CLIENT_AUTH_CERT is shown.

Environment

Release : 3.4.x, 4.x

Component: PRIVILEGED ACCESS MANAGEMENT

Cause

Cluster Deployment Requirements - We need the following ports to be open for cluster deployment.

Clustered appliance: Within a site, these ports are required: TCP/443, 8443 (HTTPS); TCP/3307, 13307 (MySQL); TCP/5900 (Hazelcast); TCP/7900 (JGroups); TCP/7901 (JGroups heartbeat). Between sites, only 443, 8443, and 3307 are required. For external user access, only 443 is required. (For a standalone appliance, only TCP/443 is necessary.)

Port 8443 is used internally for communication between the clustered nodes and this uses a self-signed certificate. The ERR_BAD_SSL_CLIENT_AUTH_CERT means communication is rejected due to the Browser doesn't have client certificate. Only PAM nodes have the required certificate to establish communication.

Resolution

Nessus scan shows vulnerability but it doesn't mean PAM is vulnerable to any external access via this 8443 port.

Additional Information

Previously in PAM 3.3.x there was potential access to get into the PAM login page on this 8843 port. However, this vulnerability had been fixed in 3.4.x onward and this 8443 port is now dedicated for PAM cluster communication.

Powered by Wolken Software