Security setting disabling udm_manager weak ciphers

book

Article ID: 209177

calendar_today

Updated On:

Products

CA Unified Infrastructure Management On-Premise (Nimsoft / UIM)

Issue/Introduction

How to configure the certificate/ciphers/tls version that udm_manager uses, because of vulnerability scan is findings 

 

 

Cause

Due to weak security findings discovered from vulnerability scan, displayed below:

SSL Certificate Cannot Be Trusted
"Plugin Output: 
The following certificate was at the top of the certificate
chain sent by the remote host, but it is signed by an unknown
certificate authority :

|-Subject : C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown
|-Issuer  : C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"

-------------------------

SSL Certificate Chain Contains RSA Keys Less Than 2048 bits
"Plugin Output: 
The following certificates were part of the certificate chain
sent by the remote host, but contain RSA keys that are considered
to be weak :

|-Subject        : C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown
|-RSA Key Length : 1024 bits"

-------------------------

SSL Certificate Signed Using Weak Hashing Algorithm
"Plugin Output: 
The following certificates were part of the certificate chain sent by
the remote host, but contain hashes that are considered to be weak.

|-Subject             : C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown
|-Signature Algorithm : SHA-1 With RSA Encryption
|-Valid From          : Jan 29 19:36:36 2012 GMT
|-Valid To            : Jan 26 19:36:36 2022 GMT"

-------------------------

SSL Certificate with Wrong Hostname
"Plugin Output: 
The identities known by Nessus are :

  The Common Name in the certificate is :

  Unknown"

-------------------------

SSL Self-Signed Certificate
"Plugin Output: 
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"

-------------------------

SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
Plugin Output: 
Vulnerable connection combinations :

SSL/TLS version  : TLSv1.0
Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)

SSL/TLS version  : TLSv1.0
Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)

SSL/TLS version  : TLSv1.1
Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)

SSL/TLS version  : TLSv1.1
Cipher suite     : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)"

TLS Version 1.0 Protocol Detection
Plugin Output: TLSv1 is enabled and the server supports at least one cipher.

Environment

Release : 20.3

Component : UIM - UDM

Resolution

a. Create a properties file with the list of all known weak ciphers.

The below example contains some of the weak ciphers and you should modify the list as per your security policy.

File name in Udm_manager probe folder: disable_ciphers.properties

jdk.tls.disabledAlgorithms=TLSv1, TLSv1.1, SSLv3, RC4, MD5withRSA, DH keySize < 768,TLSv1,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA

b. Update the Udm_manager configuration to use following java configuration parameters:

java_opts = -server -XX:ErrorFile=./hs_err_pid.log -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -Djava.security.properties=disable_ciphers.properties

c. Restart Udm_manager. Test the connectivity using following commands:

openssl s_client -connect "ip addresss":4334 -tls1

openssl s_client -connect "ip address":4334 -tls1_1

openssl s_client -connect "ip address":4334 -tls1_2