Symantec Identity Manager/Identity Portal client-initiated Renegotiation Vulnerability Remediation
Article ID: 222345
Updated On:
Products
Issue/Introduction
Recent Vulnerability Scan Displayed that IDM / IP / IG could be vulnerable to the client-initiated vulnerability.
Environment
Release : 14.X
Component : Identity Manager
Component : Identity Suite
Component : Identity Portal
Component : Identity Governance
Resolution
Standalone:
Navigate to (wildfly-15.0.1\bin):
Linux - standalone.conf
Windows - standalone.conf.bat
Add:
-Djdk.tls.rejectClientInitiatedRenegotiation=true to the JVM Arguments
Example:
set "JAVA_OPTS=-Xms1024m -Xmx4096m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops -Djava.awt.headless=true -Dcom.sun.jersey.server.impl.cdi.lookupExtensionInBeanManager=true -Djdk.tls.rejectClientInitiatedRenegotiation=true"
VAPP:
If you are using VAPP, you need to place the Java Arguments in a custom location.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/virtual-appliance/administering-virtual-appliance.html#concept.dita_484b93c7f06198e8b27adcc2537229358eb17777_CustomJVMArguments
Add:
-Djdk.tls.rejectClientInitiatedRenegotiation=true to the JVM Arguments
For example with IP it will be specifically be placed here:
/opt/CA/VirtualAppliance/custom/IdentityPortal/jvm-args.conf
If modifying the Arguments directly against IDM does not work then the resolution is to perform the remediation against JAVA itself.
You will need to open the java security file (Java\jdk1.8.0_221\jre\lib\security) and find rejectClientInitiatedRenegotiation and set the value to true.
Once the changes are implemented please be sure to cycle your application as this modification will only be challenged after a reboot.
Feedback
