Identity Manager / Identity Portal client-initiated Renegotiation Vulnerability Remediation

book

Article ID: 222345

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager CA Identity Portal CA Identity Governance

Issue/Introduction

Recent Vulnerability Scan Displayed that IDM / IP / IG could be vulnerable to the client-initiated vulnerability.

Environment

Release : 14.X

Component : Identity Manager

Component : Identity Suite

Component : Identity Portal

Component : Identity Governance

Resolution

Standalone:

Navigate to (wildfly-15.0.1\bin):

Linux - standalone.conf

Windows - standalone.conf.bat

Add:

-Djdk.tls.rejectClientInitiatedRenegotiation=true to the JVM Arguments

Example:

set "JAVA_OPTS=-Xms1024m -Xmx4096m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.awt.headless=true -Dcom.sun.jersey.server.impl.cdi.lookupExtensionInBeanManager=true -Djdk.tls.rejectClientInitiatedRenegotiation=true"

VAPP:

If you are using VAPP, you need to place the Java Arguments in a custom location.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/virtual-appliance/administering-virtual-appliance.html#concept.dita_484b93c7f06198e8b27adcc2537229358eb17777_CustomJVMArguments

Add:

-Djdk.tls.rejectClientInitiatedRenegotiation=true to the JVM Arguments

For example with IP it will be specifically be placed here:

/opt/CA/VirtualAppliance/custom/IdentityPortal/jvm-args.conf

 

If modifying the Arguments directly against IDM does not work then the resolution is to perform the remediation against JAVA itself.

You will need to open the java security file (Java\jdk1.8.0_221\jre\lib\security) and find rejectClientInitiatedRenegotiation and set the value to true.

 

Once the changes are implemented please be sure to cycle your application as this modification will only be challenged after a reboot.