Weak SSL/TLS Key Exchange being reported by Qualys scans against Autosys Web Server or WebUI (WCC) ports
search cancel

Weak SSL/TLS Key Exchange being reported by Qualys scans against Autosys Web Server or WebUI (WCC) ports

book

Article ID: 248447

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

Qualys vulnerability scans report that the Autosys Web Server or WebUI (WCC) server on port 9443/8443 allow weak SSL/TLS Key Exchanges

Environment

Workload Automation AE (AutoSys)

Resolution

  1. Ensure the keystore was generated with a keysize of 2048bits first (when the keytool command is used to create the private key, use the flag:   -keysize 2048   ( Change the Web Server SSL Protocol to TLSv1.2   and Generate a Private Key and Self-Signed Certificate )
  2. For Autosys Web Server, disable TLS v1.1 and 1.0, by updating the HTTPS connector in the file $AUTOUSER/webserver/conf/server.xml.  Remove the TLS 1.1/1.0 and enforce TLS 1.2 only.  Remove references to any RSA 1024 bit ciphers too.  Resulting connector entry should look like:  

    <Connector SSLEnabled="true" acceptCount="100" ciphers="ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"  clientAuth="false" keystoreFile="/opt/CA/WorkloadAutomationAE/autouser.ACE/webserver/conf/.keystore" keystorePass="changeit" keystoreType="BCFKS" maxThreads="400" port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" relaxedQueryChars="|&lt;&gt;" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>

    Note: the above whole content is in just one line

  3. For WebUI / WCC, the above change goes to $CA_WCC_INSTALL_LOCATION/tomcat/conf/server.xml 

    <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"  clientAuth="false" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript,application/json" compression="on" disableUploadTimeout="true" enableLook
    ups="false" keyAlias="tomcat" keystoreFile="/opt/CA/WorkloadAutomationAE/wcc/data/config/.keystore" keystorePass="changeit" maxThreads="150" minSpareThreads="25" port="8443" protocol="HTTP/1.1" scheme="https" secure="
    true" server="WCC" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" useSendfile="false"/>

  4. Restart Autosys Web Server / WCC services for the change to be effective. 

 

 

Additional Information

 

 

 

Powered by Wolken Software