Diffie-Hellman key error with Firefox and Chrome browsers connecting to CA SSO Administrative UI

book

Article ID: 32935

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Summary:

When using the Chrome or Firefox web browsers to connect to the CA SSO Administrative UI (WAMUI) the connection fails and the browsers return Diffie-Hellman key errors.

Examples:

---------------------------------------------------------------------------------------------------------------------------------------------


CHROME:

Error:

Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

Hide details

This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to set up a secure connection but, due to a disastrous misconfiguration, the connection wouldn't be secure at all!
In this case the server needs to be fixed. Google Chrome won't use insecure connections in order to protect your privacy.
Learn more about this problem.

---------------------------------------------------------------------------------------------------------------------------------------------


FIREFOX:

An error occurred during a connection to <hostName.domain.com>:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

---------------------------------------------------------------------------------------------------------------------------------------------

These Diffie-Hellman errors do not occur with Internet Explorer.





Environment

Release: ETRSBB99000-12.52-SiteMinder-B to B

Component:


This issue is occurring in the default configuration of the underlying JBOSS application server,

which is bundled with the WAMUI as the 'WAMUI-Prereq".

Resolution

Instructions:


To resolve this JBOSS 'server.xml' will need to be manually modified.


1) Logon to the host running the Administrative UI.

2) Stop the CA SSO Administrative UI


Stop the embedded JBOSS Server


     1. Logon to the host running the WAMUI


     Unix:


          2. Navigate to:

              <WAMUI Home>/CA/siteminder/adminui/bin/administrative_ui_install


          3. Run the following command:

              shutdown.sh


     Windows:


          2. Load services.msc


          3. Stop the "SiteMinder AdminUI" Service



3) Browse to the 'server.xml' file.


     Default Path: siteminder/adminui/server/default/deploy/jbossweb.sar/server.xml


4) Copy the 'server.xml' and name the copy 'server.xml.<date>.BAK


5) Open the 'server.xml' file with a text editor.


6) Modify the "SSL Connector" section.


OLD VALUE:


<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" connectionTimeout="20000" emptySessionPath="true" enableLookups="true" keyAlias="tomcat" keystoreFile="jsse.keystore" keystorePass="changeit" keystoreType="jks" maxHttpHeaderSize="10240" maxPostSize="0" maxSpareThreads="75" minSpareThreads="5" port="8443" protocol="HTTP/1.1" scheme="https" secure="true"/>


NEW VALUE:


<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" connectionTimeout="20000" emptySessionPath="true" enableLookups="true" keyAlias="tomcat" keystoreFile="jsse.keystore" keystorePass="changeit" keystoreType="jks" maxHttpHeaderSize="10240" maxPostSize="0" maxSpareThreads="75" minSpareThreads="5" port="8443" protocol="HTTP/1.1" scheme="https" secure="true"/>


7) Save the changes


8) Start the CA SSO Admin UI


9) Connect the Admin UI using either the Firefox or Chrome web browsers.


Now it does not show that error anymore. Above error is because the RootCA is not trusted.


If you click on "Advanced" link, you can proceed to the site.


Or, you can import the RootCA certificate to trust it and not get this warning ("Your connection is not private.").


If you click on the PADLOCK icon in the Address Bar(where the https is crossed out) then you will get information which protocol is currently in use.


Here you can see that this connection uses TLS 1.0.





 

Additional Information

Tech Tip - CA Single Sign-On:Administrative UI: Does the standalone Admin UI installation support TLSv1.2 ?