ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Security scan on OPMS has flagged Unmanaged /self signed certificates

book

Article ID: 240259

calendar_today

Updated On:

Products

CA App Synthetic Monitor

Issue/Introduction

Our security office has detected an unmanaged self signed certificate tied back to a new OPMS server that we deployed. 

We need to replace the certificate with a properly signed certificate or otherwise negate the risk

Cause

On the OPMS, the API is available on port 443 so that it can be used by a shared tunnel client running on a different OPMS.

The certificate is signed by a self-signed CA which is trusted by every OPMS on the network. This is OK because the OPMS is not accessed on this port from anywhere else except another OPMS.  Thus the security issue is a false positive.

 

Environment

Release : SAAS

Component : CA APP SYNTHETIC MONITOR (WATCHMOUSE)

Resolution

Instead of replacing the cert the OPMS can be configured to not listen on port 443. This is achieved by commenting that ssl endpoint from the nginx listener configuration.
 
Edit the file /etc/nginx/sites-enabled/smartpop.conf and comment out the whole section beginning with 

server {
 listen       *:443 ssl;

To the end of the file
Then run 'monit restart nginx'.   
This will stop the OPMS listening on port 443.
 

Additional Information

If taking a backup of the smartpop.conf file do not leave it in the same folder as the nginx process will read all files in that folder and process the content.