Webview (HTTPS) error with Chrome/Firefox
Users accessing CA APM WebView and/or Team Center see a browser error: "Server has a weak ephemeral Diffie-Hellman public key." This is preventing use of the web applications.
Below is a screen shot of the error message:
<Please see attached file for image>
- This is due to some recent attacks against TLS (e.g. "Logjam") which target the Diffie-Hellman key exchange algorithm when configured with an initial parameter (prime "p") smaller than 1024 bits.
What happens is that some of the latest browser updates lockout users when trying to connect to servers configured with weak Diffie-Hellman primes. These browsers have been updated to disallow such connections. This is not a problem in APM, but is caused by an updated mechanism in the way browsers handle encryption handshakes.
For users of CA APM 9.7 and 10.0, do one of the following:
1. Set the “-DephemeralDHKeySize=1024” property. This requires Java 7u85 or above.
Add the above setting to lax.nl.java.option.additional section in Introscope_WebView.lax
If the EM is configured to run as a service on Windows, add the following to <EM HOME>/bin/WVService.conf. In the below example, .4 is the last item in the wrapper.java.additional parameters. Your setup may vary, so choose the highest number according to your WVService.conf file setup.
Note: CA APM 10.1 will be updated with a newer version of java 8 that will not be affected by this issue.
2. Configure Jetty to use the ciphersuites below:
Update the config/webview-jetty-config.xml file and replace the cipher suite configuration to:
Note: Don't forget to uncomment those lines by removing the leading <-- and trailing -->.
- https://weakdh.org/ -- Weak Diffie-Hellman and the Logjam Attack
- https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange -- Diffie Hellman.