Found cipher-related vulnerabilities for the CA Directory Management UI

CA Directory 14.1 SP5

The vulnerabilities related to Dxagent(TLS/SSL Weak Message Authentication Code Cipher Suites and TLS/SSL Server Supports The Use of Static Key Ciphers)

Please raise a support ticket for the TestFix

To test the fix, follow the steps below. 

Take a backup of DXHOME/dxagent/dxagent_default_config.py and DXHOME/dxagent/dxagent_cp_engine.py files.

Stop the DxAgent

Copy the provided testfix files dxagent_default_config.py,  dxagent_cp_engine.py  to DXHOME/dxagent folder

Add the new configuration variable DXAGENT_SERVER_CIPHERS with the ciphers that you want to use for DxAgent to DXHOME/dxagent/ dxagent_config.py file. For the details of ciphers, please check the Python documentation

Below is only a sample test example where we set the DXAGENT_SERVER_CIPHERS with some ciphers

DXAGENT_SERVER_CIPHERS = 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'

Note: 

Set the needed ciphers to DXAGENT_SERVER_CIPHERS. If it is not set DXAGENT_SERVER_CIPHERS, then the DxAgent will use the default ciphers enabled by Python.

The configuration parameter DXAGENT_SERVER_CIPHERS should be added only in DXHOME/dxagent/dxagent_config.py file

Start the DxAgent and test the DxAgent functionality. 

Perform the vulnerability scan and let us know the results. 

Consider this as the test fix to address the issues in Dxagent.

And as per the issue on Management UI(Untrusted TLS/SSL server X.509 certificate), the certificates that generate during installation are self signed certificates. 

Anyhow, you can generate CA-signed certificates of your own and use them.

Reference Defect#DE636359