Why is CORBA TLS enabled on SpectroSERVER even though OneClick GUI sets it to No?
search cancel

Why is CORBA TLS enabled on SpectroSERVER even though OneClick GUI sets it to No?

book

Article ID: 433376

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

CORBA TLS has been set to NO on the OneClick GUI. However, when checking .corbarc and .jcorbarc files on the SpectroSERVER, they're set to true

vbroker.security.alwaysSecure=true

Why is there a discrepancy?

If these ports (14012, 14013) are blocked in the firewall, what is the impact on the system? 

Environment

DX NetOps Spectrum all currently supported releases

Resolution

Secure CORBA is enabled by default with the following attribute setting in the $SPECROOT/.corbarc file, and Spectrum applications listen on ports 14011, 14012, 14013, and 14014:
 
vbroker.security.disable=false
 
Do not modify the default vbroker.security.disable=false parameter in the .corbarc file unless you intend to disable secure CORBA entirely. If this value is set to true, Spectrum applications (SpectroSERVER, ArchMgr, LocServer, and OneClick) will stop listening on the secure ports (14011–14014) and will only listen on the standard CORBA ports (14001–14004).
 
If Use Secure Corba TLS is configured as "No" on the OneClick -> Administration -> Spectrum Configuration page, this means communication occurs on the non-secure, standard CORBA ports (14001–14004) .
 
 
If it is "Yes," communication occurs on the secure CORBA ports (14011–14014), and you need to enable these ports on any firewalls to establish the TCP connections.
 
If the secure CORBA ports (14011–14014) ports are not enabled, set secure CORBA(TLS)  to "No".
 
 
 
Setting the following parameter to true enforces TLS security on all CORBA calls. Specifically, to enable more encryption using CORBA certs, use the following parameter:
 
vbroker.security.alwaysSecure=true
 
If the ports (both secure & non-secure) are all blocked then you wouldn't establish communications between the SpectroSERVER & OneClick so you would not see status, event/alarms or even data when selecting models.
 
The following parameter is used to control secure CORBA ports:
 
vbroker.security.disable=false
 
With this setting, both secure and standard CORBA ports will show a listening state. However, TCP connections are determined by the Spectrum configuration page. By default, "Use Secure CORBA (TLS)" is set to "No," meaning the OneClick (OC) client establishes connections via standard CORBA ports (14002–14004).
 
If this value is changed to "Yes," the OC client will establish TCP connections via the secure CORBA ports (14012–14014) .  Even though the OneClick (OC) value (Use secure CORBA (TLS)) is set to "Yes," the OC client is not making TCP connections via the secure CORBA ports (14012–14014) because the ports are not in a listening state while vbroker.security.disable=true.
 
 

Additional Information

Refer to the following sections of the TechDocs for further details:

 
and
 
With regards to the certificates under $SPECROOT/custom/VBNS/trustpoints, these custom CORBA certificates will add extra layer of encryption for both standard and secure CORBA ports. Do not remove the default shipped certificates that came with the Spectrum installation. 
Powered by Wolken Software