search cancel

DCS Manager Hostname/FQDN shows as self-signed when the UMC is CA signed

book

Article ID: 253987

calendar_today

Updated On:

Products

Data Center Security Monitoring Edition Data Center Security Server Data Center Security Server Advanced

Issue/Introduction

FQDN gets flagged on vulnerability scanners over port 443 as self signed when the manager is CA signed.

The UMC certs have been CA signed and we can see the certificate chain. 

Cause

The manager uses port 443 (https) for agent communication. In this case the vulnerability scanner is thinking there is a web server running over port 443, when that's not the case, but rather it's picking up the self-signed certs of the agent communication which is over this same port. 

Resolution

We have 3 options depending on what's preferred:

1. Make a note to the people in charge of the vulnerability scanners that this port is not hosting a web server, but instead is used for agent communication, and what's being picked up by the scanner is the self signed cert (which is the agent-cert.ssl)

2. Change the port to another port other than 443 for agent communication. This way there is nothing listening on that port. You will need to change the manager settings and then on each agent so they start using the new port. Please see a Broadcom support technician for more details on the how-to.

3. CA sign the agent cert. This way the vulnerability scanner will see that the cert used on port 443 is not self signed. Each agent will need the new CA Signed agent-cert.ssl file.

 

For more details on this please contact the Broadcom Support Team.

Attachments