SOI Manager Vulnerability - SSL Certificate Signed Using Weak Hashing Algorithm
search cancel

SOI Manager Vulnerability - SSL Certificate Signed Using Weak Hashing Algorithm

book

Article ID: 260368

calendar_today

Updated On: 10-10-2023

Products

CA Service Operations Insight (SOI)

Issue/Introduction

A recent scan shows the SOI manager servers have vulnerability below.  

Plugin Name: SSL Certificate Signed Using Weak Hashing Algorithm

Port: 9443    (CVE: CVE-2004-2761)

Environment

Release : 4.2

Resolution

Please find the steps to remediate the SSL Certificate Signed Using Weak Hashing Algorithm vulnerabilities on Manager machine (wso2).
  • Stop CA SOI WSO2 Carbon service
  • Take backup of the below two files from folder <SOI Installation Directory>\wso2registry\repository\resources\security on Manager machine, and delete the same from that location:
    • wso2carbon.jks
    • client-truststore.jks
  • Please find the steps to regenerate the new self signed certificates 
keytool should be in the path, if not please set the same (for example by including the jre from SOI Installation set PATH=<SOI Installation Directory>\jre\bin;%PATH%), run the below commands. You can use your own password for keystore creation, please replace the highlighted places with yellow background in the below commands from command line:
    • keytool -genkeypair -alias wso2carbon -keyalg RSA -keysize 2048 -keystore wso2carbon.jks -dname "CN=localhost,O=WSO2,L=Mountain View,ST=CA,C=US" -validity 7300 -storepass <PasswordHere> -keypass <PasswordHere>-ext bc=ca:true
    • keytool -certreq -keystore wso2carbon.jks -storepass <PasswordHere> -alias wso2carbon -file wso2carbon.csr
    • keytool -gencert -keystore wso2carbon.jks -validity 7300 -storepass <PasswordHere> -alias wso2carbon -infile wso2carbon.csr -outfile wso2carbon.cer
    • keytool -noprompt -import -alias wso2carbon -file wso2carbon.cer -storetype JKS -keystore client-truststore.jks -storepass <PasswordHere>
  • After the above commands are completed successfully. You are required to copy the below two files to  <SOI Installation Directory>\wso2registry\repository\resources\security
    • wso2carbon.jks
    • client-truststore.jks
  • Incase you have changed the default password (wso2carbon) while generating the keystore as per the above commands, update the below files with the new password
    • C:\Program Files (x86)\CA\SOI\wso2registry\repository\conf\carbon.xml
      • update new password in <Password> and <KeyPassword> tags
    • C:\Program Files (x86)\CA\SOI\wso2registry\repository\conf\identity\application-authentication.xml
      • update new password in <Parameter name="TrustStorePassword"> 
    • C:\Program Files (x86)\CA\SOI\wso2registry\repository\conf\identity\EndpointConfig.properties
      • update new password for Carbon.Security.KeyStore.Password and Carbon.Security.TrustStore.Password
    • C:\Program Files (x86)\CA\SOI\wso2registry\repository\conf\identity\identity.xml
      • update new password in tag <Password><PasswordHere></Password>
    • C:\Program Files (x86)\CA\SOI\wso2registry\repository\conf\tomcat\catalina-server.xml
      • update new password in keystorePass="<PasswordHere>"
  • Start CA SOI WSO2 Carbon service