search cancel

Autosys Vulnerability - Weak SSL/TLS Key Exchange

book

Article ID: 253612

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

Qualys reports vulnerability with the  Autosys scheduler and WCC components. 

example

PROTOCOL CIPHER NAME GROUP KEY-SIZE FORWARD-SECRET CLASSICAL-STRENGTH QUANTUM-STRENGTH
TLSv1 AES128-SHA RSA   1024 no 80 low
TLSv1 DHE-RSA-AES128-SHA DHE   1024 yes 80 low
TLSv1.1 AES128-SHA RSA   1024 no 80 low
TLSv1.1 DHE-RSA-AES128-SHA DHE   1024 yes 80 low
TLSv1.2 AES128-SHA RSA   1024 no 80 low
TLSv1.2 DHE-RSA-AES128-SHA DHE   1024 yes 80 low

Environment

Release : WAAE 11.3.6 SP8 
                WCC 11.4 SP7

Resolution

Below are steps to configure the various components that use SSL for TLS 1.2 and also disabling weak ciphers where applicable. 

This link shows how to configure the AutoSys RESTful Web Server (port 9443) to use TLS 1.2...


https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-1/installing/post-installation-procedures-for-the-server/change-the-web-server-ssl-protocol-to-tlsv1-2.html

This link provides steps for configuring WCC and EEM to use TLS 1.2 and disabling weak ciphers for EEM.
NOTE: For the EEM portion of this document, you will need to check your EEM version first. If it is still 12.51, TLS 1.2 is not supported with that version. You would first need to upgrade EEM to 12.6

https://knowledge.broadcom.com/external/article?articleId=74517

This link provides steps for disabling weak ciphers for WCC...

https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-1/installing/post-installation-procedures-for-the-server/disable-weak-ciphers-for-the-webserver.html