udm_manager - expired self-signed certificate
search cancel

udm_manager - expired self-signed certificate

book

Article ID: 234735

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

A security scan of our UIM Primary Hub found the self-signed certificate associated with udm_manager (port 4334) has expired.

Environment

Release : 20.3

Component : UIM - UDM

Resolution

There is no known vulnerability related to this issue , however, it will trigger some vulnerability scans.  If desired, you can block port 4334 from the outside world; only the UIM Primary/HA hub and Operator Console robots need access and a firewall can be used to block all other traffic to this port out of an abundance of caution.

Currently (still in process as of 2/15/2022) a hotfix is being produced to update the certificate to avoid triggering scans.

If you are not integrating UIM with Spectrum or NFA (Network Flow Analysis), you can also mitigate the issue by disabling udm_manager.

Here are the steps:

1. deactivate discovery_server probe and udm_manager probe on primary hub.
2. Using "Raw Configure" on discovery_server probe, access configuration and navigate to setup/udm section.
3. add the following key/value combination:
using_datomic  = false

screenshot:

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=nHNLJPUosVN/UHDsesUhig==

 

4. Once the key had been added to discovery_server, activate the discovery_server probe, and leave the udm_manager probe deactivated.

This will disable the port 4334 listener which will mitigate this issue.

Next, you will need to update the controller.cfg on the primary hub, because the trellis probe will not start with udm_manager disabed if you restart the hub.

1. Edit the file /nimsoft/robot/controller.cfg
2. Locate the <trellis> entry which begins like this:

<trellis>
   description = Trellis Application Container
   group = Service
   ...

Within this section you will see:

start_after = udm_manager

change "udm_manager" to "data_engine" and save the file.

It is not necessary to restart the hub/robot after making this change;  it is put in place to ensure success on the next restart, so it wouldn't hurt to test it and make sure everything comes up, but no restart is required for the setting to take effect.

Additional Information

If your UIM is integrated with Spectrum (using spectrumgtw) or Network Flow Analysis (using nfa_inventory) you should not use this workaround as it would affect the inventory presentation of UIM-monitored network interfaces in those products.  If you are integrating UIM with these products, you can block the port as mentioned above (although again, there is no actual vulnerability here) until the hotfix is released. 

This article will be updated on release of the hotfix.

 

Powered by Wolken Software