SOI-UIM connector and SOI-ServiceNow connector Vulnerability - SSL Certificate Signed Using Weak Hashing Algorithm
search cancel

SOI-UIM connector and SOI-ServiceNow connector Vulnerability - SSL Certificate Signed Using Weak Hashing Algorithm

book

Article ID: 260370

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction

A recent scan shows the SOI-UIM and SOI-ServiceNow connectors have SSL Certificate Signed Using Weak Hashing Algorithm
Port: 7440    (CVE: CVE-2004-2761) Vulnerability 

Plugin Name: SSL Certificate Signed Using Weak Hashing Algorithm
Port: 7440    (CVE: CVE-2004-2761)

Plugin Output: 
The following certificates were part of the certificate chain sent by
the remote host, but contain hashes that are considered to be weak.

Subject             : CN=CatalystRoot
Signature Algorithm : SHA-1 With RSA Encryption
Valid From          : Nov 17 15:07:50 2011 GMT
Valid To            : Nov 13 15:07:50 2031 GMT

Environment

Release : 4.2

Resolution

Please find the steps to remediate the SSL Certificate Signed Using Weak Hashing Algorithm vulnerabilities on Catalyst Container machines. This procedure is applicable for both SOI-UIM connector and SOI-ServiceNow connector
  • Stop CA Catalyst Container CatalystConnector service
  • Take backup of the below two files from folder <Catalyst Installation Directory>\CatalystConnector\container\security on Catalyst Connector machine, and delete the same from that location
    • default-keystore.jks
    • default-truststore.jks
  • Please find the steps to regenerate new self signed certificates
keytool should be in the path, if not please set the same (for example by including the jre from Catalyst Installation set PATH=<Catalyst Installation Directory>\CatalystConnector\jre\bin;%PATH%), run the below commands. You can use your own password for keystore creation, please replace the highlighted places with yellow background in the below commands from command line:
    • keytool -genkeypair -alias catalyst-root -keyalg RSA -keysize 2048 -keystore default-keystore.jks -dname "CN=CatalystRoot" -validity 7300 -storepass password -keypass password -ext bc=ca:true
    • keytool -genkeypair -alias default -keyalg RSA -keysize 2048 -keystore default-keystore.jks -dname "CN=Catalyst3.1" -validity 7300 -storepass password -keypass password
    • keytool -certreq -keystore default-keystore.jks -storepass password -alias default -file default-keystore.csr
    • keytool -gencert -keystore default-keystore.jks -validity 7300 -storepass password -alias catalyst-root -infile default-keystore.csr -outfile default.cer
    • keytool -importcert -keystore default-keystore.jks -storepass password -file default.cer -alias default
    • keytool -exportcert -storetype JKS -keystore default-keystore.jks -storepass password -alias catalyst-root -rfc > catalyst-root.cer
    • keytool -delete -noprompt -alias catalyst-root -keystore default-keystore.jks -storepass password
    • keytool -import -alias catalyst-root -file catalyst-root.cer -storetype JKS -keystore default-truststore.jks -storepass password
    • keytool -import -alias default -file default.cer -storetype JKS -keystore default-truststore.jks -storepass password 
  • After the above commands are completed successfully. You are required to copy the below two files to <Catalyst Installation Directory>\CatalystConnector\container\security:
    • default-keystore.jks
    • default-truststore.jks
  • Run the below commands from command line
    • cd <Catalyst Installation Directory>\CatalystConnector\tools\encrypt
    • encrypter.bat password
    • copy the encrypted data from the output of the above command and replace the same in tags below in the file <Catalyst Installation Directory>\CatalystConnector\registry\topology\physical\<hostname>_CatalystConnector\<hostname>_CatalystConnector-config.xml
  • Start CA Catalyst Container CatalystConnector service