[PAM][TAP] TA 2.2.x - X.509 Certificate Subject CN does not match the Entity Name (certificate-common-name-mismatch)

book

Article ID: 209640

calendar_today

Updated On:

Products

CA Threat Analytics for PAM

Issue/Introduction

Vulnerability Scan on Threat Analytics 2.2.3 found that it has a "CN=$HOSTNAME"

 

Port: 443/tcp, 3000/tcp, 8443/tcp | CN: $HOSTNAME

X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)

 

 

Cause

By default, TAP(Threat Analytics for PAM) is shipped with a default (self-signed) certificate which has "CN=$HOSTNAME"

CN = $HOSTNAME
OU = Engineering
O = CA Technologies
L = New York
S = New York
C = US

 

The certificate is required so TAP is shipped with HTTPS enabled.

Environment

Release : 2.2.3

Component : THREAT ANALYTICS FOR PRIVILEGED ACCESS MANAGER

Resolution

After deploying TAP you need to install a proper certificate.

 

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-1/integrating/integrate-with-ca-threat-analytics/deploy-ca-threat-analytics-server.html#concept.dita_e49c142d04a41299ff74f32a25743aa764754481_ConfigureCAThreatAnalytics

 

Follow the documented steps to create a jks and upload to TAP server.

Then restart both "Threat Analytics Engine" and "Threat Analytics Admin App". (A reboot may be required)

Perform the VA scan against the 443,3000,8443 ports again.

Following sample is from nmap. You can see the 3 service ports are all updated to use the newly uploaded certificate.

 

Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-03 13:27 AUS Eastern Daylight Time
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
Initiating ARP Ping Scan at 13:28
Scanning ta223.kimlabs.net (192.168.0.80) [1 port]
Completed ARP Ping Scan at 13:28, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:28
Completed Parallel DNS resolution of 1 host. at 13:28, 0.00s elapsed
Initiating SYN Stealth Scan at 13:28
Scanning ta223.kimlabs.net (192.168.0.80) [3 ports]
Discovered open port 443/tcp on 192.168.0.80
Discovered open port 8443/tcp on 192.168.0.80
Discovered open port 3000/tcp on 192.168.0.80
Completed SYN Stealth Scan at 13:28, 0.00s elapsed (3 total ports)
Initiating Service scan at 13:28
Scanning 3 services on ta223.kimlabs.net (192.168.0.80)
Completed Service scan at 13:28, 12.28s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against ta223.kimlabs.net (192.168.0.80)
NSE: Script scanning 192.168.0.80.
Initiating NSE at 13:28
Completed NSE at 13:28, 1.07s elapsed
Initiating NSE at 13:28
Completed NSE at 13:28, 0.14s elapsed
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
Nmap scan report for ta223.kimlabs.net (192.168.0.80)
Host is up (0.00025s latency).

PORT     STATE SERVICE  VERSION
443/tcp  open  ssl/http nginx 1.12.2
| http-methods: 
|   Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|_  Potentially risky methods: PUT DELETE TRACE
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: nginx/1.12.2
| http-title: CA Threat Analytics
|_Requested resource was https://ta223.kimlabs.net/users/sign_in
| ssl-cert: Subject: commonName=SPS/organizationName=KIMLABS/stateOrProvinceName=NSW/countryName=AU
| Subject Alternative Name: DNS:*.kimlabs.net
| Issuer: commonName=KIMLABS-ROOTCA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-02-25T13:05:15
| Not valid after:  2023-02-25T13:05:15
| MD5:   98ec 1554 86b4 cb70 6e6e c469 14cf 5bcd
|_SHA-1: 706a ed64 aefb 1e11 1600 873d 30f1 c0e7 a837 a903
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1

3000/tcp open  ssl/http nginx 1.12.2
|_http-favicon: Unknown favicon MD5: A9EE0A5A025A2FE0A788BBC68A75AF1F
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.12.2
| http-title: Threat Analytics
|_Requested resource was https://ta223.kimlabs.net:3000/login
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-cert: Subject: commonName=SPS/organizationName=KIMLABS/stateOrProvinceName=NSW/countryName=AU
| Subject Alternative Name: DNS:*.kimlabs.net
| Issuer: commonName=KIMLABS-ROOTCA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-02-25T13:05:15
| Not valid after:  2023-02-25T13:05:15
| MD5:   98ec 1554 86b4 cb70 6e6e c469 14cf 5bcd
|_SHA-1: 706a ed64 aefb 1e11 1600 873d 30f1 c0e7 a837 a903
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1

8443/tcp open  ssl/http nginx 1.12.2
| http-methods: 
|   Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS
|_  Potentially risky methods: PUT DELETE TRACE
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: nginx/1.12.2
| http-title: CA Threat Analytics
|_Requested resource was https://ta223.kimlabs.net:8443/users/sign_in
| ssl-cert: Subject: commonName=SPS/organizationName=KIMLABS/stateOrProvinceName=NSW/countryName=AU
| Subject Alternative Name: DNS:*.kimlabs.net
| Issuer: commonName=KIMLABS-ROOTCA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-02-25T13:05:15
| Not valid after:  2023-02-25T13:05:15
| MD5:   98ec 1554 86b4 cb70 6e6e c469 14cf 5bcd
|_SHA-1: 706a ed64 aefb 1e11 1600 873d 30f1 c0e7 a837 a903
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1
MAC Address: 00:0C:29:73:D2:E2 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9, Linux 5.1
Uptime guess: 49.710 days (since Tue Jan 12 20:26:17 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT     ADDRESS
1   0.25 ms ta223.kimlabs.net (192.168.0.80)

NSE: Script Post-scanning.
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.44 seconds
           Raw packets sent: 38 (3.462KB) | Rcvd: 26 (2.338KB)

 

Attachments