Removing Security vulnerabilities scan issue from Autosys EEM ephemeral / Dynamic ports

Products

Autosys Workload Automation

Issue/Introduction

We have followed the directions in the two KB articles to address the EEM port 5250 self-signed certificate issue and the weak cipher issue.
However, the security scan shows vulnerabilities on two ephemeral / Dynamic ports owned by the EEM process.
Configuring a vendor issued or custom SSL certificate for WebUI/WCC, Autosys Web Server (AEWS), CA Directory (dxserver) and EEM (iGateway)
Enabling TLSv1.2 on ports 509, 5250 and 8443 and specifying a cipherlist.

The ports tagged are 40431 and 43411, which are referring to the igateway process.

[<user>@<hostname> ~]# netstat -tulpn | grep -i :40431
tcp 0 0 XXX.XXX.XXX.XXX:40431 0.0.0.0:* LISTEN 715775/./igateway
[<user>@<hostname> ~]# netstat -tulpn | grep -i :5250
tcp6 0 0 :::5250 :::* LISTEN 715775/./igateway
[<user>@<hostname> ~]# netstat -tulpn | grep -i :43411
tcp 0 0 XXX.XXX.XXX.XXX:43411 0.0.0.0:* LISTEN 715775/./igateway

Self-signed error Example:

Asset Name: <hostname>.<domain>.com
Plugin ID: 51192
Vuln Name: SSL Certificate Cannot Be Trusted
Port: 40431
Last Seen: 2025-04-29T00:13:52

The following certificate was at the top of the certificate
chain sent by the remote host, but it is signed by an unknown
certificate authority :
|-Subject : CN=iTechPoz/CN=Entities/CN=Hosts/CN=<hostname>.<domain>.com
|-Issuer : CN=iTechPoz/CN=Entities/CN=Hosts/CN=<hostname>.<domain>.com

Weak cipher error Example:

Asset Name: <hostname>.<domain>.com
Plugin ID: 20007
Vuln Name: SSL Version 2 and 3 Protocol Detection
Port: 40431
Last Seen: 2025-06-07T19:58:49

- SSLv3 is enabled and the server supports at least one cipher.
Explanation: TLS 1.0 and SSL 3.0 cipher suites may be used with SSLv3

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC
---------------------- ---------- --- ---- --------------------- ---
EDH-RSA-DES-CBC3-SHA DH RSA 3DES-CBC(168) SHA1
ADH-DES-CBC3-SHA DH None 3DES-CBC(168) SHA1
ECDHE-RSA-DES-CBC3-SHA ECDH RSA 3DES-CBC(168) SHA1
AECDH-DES-CBC3-SHA ECDH None 3DES-CBC(168) SHA1
DES-CBC3-SHA RSA RSA 3DES-CBC(168) SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC
---------------------- ---------- --- ---- --------------------- ---
DHE-RSA-AES128-SHA DH RSA AES-CBC(128) SHA1
DHE-RSA-AES256-SHA DH RSA AES-CBC(256) SHA1
DHE-RSA-CAMELLIA128-SHA DH RSA Camellia-CBC(128) SHA1
DHE-RSA-CAMELLIA256-SHA DH RSA Camellia-CBC(256) SHA1
DHE-RSA-SEED-SHA DH RSA SEED-CBC(128) SHA1
ADH-AES128-SHA DH None AES-CBC(128) SHA1
ADH-AES256-SHA DH None AES-CBC(256) SHA1
ADH-CAMELLIA128-SHA DH None Camellia-CBC(128) SHA1
ADH-CAMELLIA256-SHA DH None Camellia-CBC(256) SHA1
ADH-RC4-MD5 DH None RC4(128) MD5
ADH-SEED-SHA DH None SEED-CBC(128) SHA1
ECDHE-RSA-AES128-SHA ECDH RSA AES-CBC(128) SHA1
ECDHE-RSA-AES256-SHA ECDH RSA AES-CBC(256) SHA1
ECDHE-RSA-RC4-SHA ECDH RSA RC4(128) SHA1
AECDH-AES128-SHA ECDH None AES-CBC(128) SHA1
AECDH-AES256-SHA ECDH None AES-CBC(256) SHA1
AECDH-RC4-SHA ECDH None RC4(128) SHA1
AES128-SHA RSA RSA AES-CBC(128) SHA1
AES256-SHA RSA RSA AES-CBC(256) SHA1
CAMELLIA128-SHA RSA RSA Camellia-CBC(128) SHA1
CAMELLIA256-SHA RSA RSA Camellia-CBC(256) SHA1
RC4-MD5 RSA RSA RC4(128) MD5
RC4-SHA RSA RSA RC4(128) SHA1
SEED-SHA RSA RSA SEED-CBC(128) SHA1
DHE-RSA-AES128-SHA256 DH RSA AES-CBC(128) SHA256
DHE-RSA-AES256-SHA256 DH RSA AES-CBC(256) SHA256
DH-AES128-SHA256 DH None AES-CBC(128) SHA256
DH-AES256-SHA256 DH None AES-CBC(256) SHA256
ECDHE-RSA-AES128-SHA256 ECDH RSA AES-CBC(128) SHA256
ECDHE-RSA-AES256-SHA384 ECDH RSA AES-CBC(256) SHA384
RSA-AES128-SHA256 RSA RSA AES-CBC(128) SHA256
RSA-AES256-SHA256 RSA RSA AES-CBC(256) SHA256

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

Environment

Autosys 12.x, 24.x
EEM 12.X

Cause

Configuration issue in the igateway.conf

Resolution

Process to use the same SSL certificate setup for port 5250 for the ephemeral / Dynamic ports

The file names are currently hard-coded in the application for the ephemeral / Dynamic ports, so these can not be changed.
Do the following on the EEM server

cd <SharedComponents>/iTechnology/
Backup the two files below:
cp -rp safetynet.cer safetynet.cer.org
cp -rp safetynet.key safetynet.key.org
from Step #25
#25) Extract the private key, as changeit is the password for the keystore throughout the above commands, provide changeit as the password for the next 3 commands (including the passphrases for the keys)
openssl pkcs12 -in .keystore.PKCS12 -nocerts -out encrypted-private.key
openssl pkcs12 -in .keystore.PKCS12 -clcerts -nokeys -out server-cert.pem
openssl rsa -in encrypted-private.key -out itechpoz.key
Copy to new names:
cp -p itechpoz.key safetynet.key
cp -p server-cert.pem safetynet.cer
Restart the services

Process to update igateway.conf to use TLS 1.2 by adding the additional two lines in yellow

Edit the igateway.conf and make the following changes
<Connector name="secure_safetynet">
<bind-address>localhost</bind-address>
<port>0</port>
<mustlisten>true</mustlisten>
<conntype>secure</conntype>
<conntimeout>86400</conntimeout>
<maxconnections>100</maxconnections>
<maxrequestbytes>10000000</maxrequestbytes>
<maxpiperequests>100</maxpiperequests>
<secureProtocol>TLSv1_2</secureProtocol>
<cipherlist>-ALL:HIGH:!RC4</cipherlist>
</Connector>

<Connector name="safetynet">
<bind-address>localhost</bind-address>
<port>0</port>
<mustlisten>true</mustlisten>
<conntype>secure</conntype>
<conntimeout>86400</conntimeout>
<maxconnections>100</maxconnections>
<maxrequestbytes>10000000</maxrequestbytes>
<maxpiperequests>100</maxpiperequests>
<maxAcceptRate/>
<secureProtocol>TLSv1_2</secureProtocol>
<cipherlist>-ALL:HIGH:!RC4</cipherlist>
</Connector>

Restart the services

Additional Information

Testing the ephemeral / Dynamic ports Example

Command to find igateway Dynamic ports
ps -few|grep igateway ## to get PID
netstat -pant | grep <pid> to get the dynamic listen ports for igateway

Command to check Signed SSL Certificate:
openssl s_client -connect localhost:40431

Command to test weak ciphers
openssl s_client -connect localhost:40431 -tls1_
openssl s_client -connect localhost:40431 -tls1
openssl s_client -connect localhost:40431 -tls1_2

Trying 1.0 or 1.1 an error such as the below is seen

openssl s_client -connect localhost:40431 -tls1_1
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 104 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1749494233
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no