Weak SSL/TLS Key Exchange being reported by Qualys scans
search cancel

Weak SSL/TLS Key Exchange being reported by Qualys scans

book

Article ID: 248447

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

Customer's Qualys vulnerability scans report that the Autosys Web Services running on port 9443 are allowing weak SSL/TLS Key Exchanges.  How to get this fixed?  

How would this work for WCC/8443 port?

Environment

Release : 12.0

Component : CA Workload Automation AE (AutoSys)

Resolution

1) Ensure the keystore was generated with a keysize of 2048bits first (when the keytool command is used to create the private key, use the flag:   -keysize 2048)

2) Disable TLS v1.1 and 1.0,  by updating $AUTOUSER/webserver/conf/server.xml  based HTTPS connector to remove the 1.1/1.0 and enforce 1.2 only and remove the RSA 1024 bit ciphers so the connector looks like: 

<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" acceptCount="100"  ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"  keystoreFile="/opt/CA/WorkloadAutomationAE/autouser.ACE/webserver/conf/.keystore" keystorePass="changeit" maxThreads="400" scheme="https" secure="true"  clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"/>

Note: the above whole content is in just one line

Note:  more stricter 256bit only can be done via:  "SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" 

 

NOTE:  For WCC, the server.xml where the above change needs to go to is in  /opt/CA/WorloadAutomationAE/wcc/tomcat/conf/server.xml   

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" clientAuth="false" compressableMimeType="text/html,text/xml,text/plain,text/javascript,text/css,application/x-javascript,application/javascript,application/json" compression="on" disableUploadTimeout="true" enableLook
ups="false" keyAlias="tomcat" keystoreFile="/opt/CA/WorkloadAutomationAE/wcc/data/config/.keystore" keystorePass="changeit" maxThreads="150" minSpareThreads="25" port="8443" protocol="HTTP/1.1" scheme="https" secure="
true" server="WCC" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" useSendfile="false"/>

Restart WCC services for the above change to be effective

Note:  more stricter 256bit only can be done via:  "SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA" 

 

3) If a CSR needs to be generated and provided to a vendor to obtain a proper Cert Authority issued cert, complete those steps now.

4) Restart the Autosys Web Server

 

Additional Information

https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-0/installing/post-installation-procedures-for-the-server/change-the-web-server-ssl-protocol-to-tlsv1-2.html

https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-0/securing/customize-ssl-for-web-services.html#concept.dita_e9bae685bdf58105bd6bc2c90b479cf32a34adb6_GenerateaPrivateKeyandSelfSignedCertificate