“Port 8443 SSL Certificate Cannot Be Trusted”
a. A vulnerability scanner determined that CA PAM port 8443 SSL certificate cannot be trusted
b.The issue can be simulated when you try to access https://CAPAM_IP:8443/
c. When [Advanced] button in clicked and proceed to the next page ERR_BAD_SSL_CLIENT_AUTH_CERT is shown.
Cluster Deployment Requirements - We need the following ports to be open for cluster deployment.
Clustered appliance: Within a site, these ports are required: TCP/443, 8443 (HTTPS); TCP/3307, 13307 (MySQL); TCP/5900 (Hazelcast); TCP/7900 (JGroups); TCP/7901 (JGroups heartbeat). Between sites, only 443, 8443, and 3307 are required. For external user access, only 443 is required. (For a standalone appliance, only TCP/443 is necessary.)
Port 8443 is used internally for communication between the clustered nodes and this uses a self-signed certificate. The ERR_BAD_SSL_CLIENT_AUTH_CERT means communication is rejected due to the Browser doesn't have client certificate. Only PAM nodes have the required certificate to establish communication.
Release : 3.4.x, 4.0.x
Component: PRIVILEGED ACCESS MANAGEMENT
Nessus scan shows vulnerability but it doesn't mean PAM is vulnerable to any external access via this 8443 port.
Previously in PAM 3.3.x there was potential access to get into the PAM login page on this 8843 port. However, this vulnerability had been fixed in 3.4.x onward and this 8443 port is now dedicated for PAM cluster communication.