topic Re: Weak SSL ciphers in Server Management - Systems Insight Manager

Weak SSL ciphers

Rusty Williams — Thu, 15 Nov 2007 17:46:07 GMT

Can I configure Insight Manager 5.1 to avoid the use of weak SSL ciphers? Thanks.

Re: Weak SSL ciphers

Daniel Leblanc — Fri, 16 Nov 2007 12:36:50 GMT

SSL cipher? for web page ,SNMP?

Dan

Re: Weak SSL ciphers

Rusty Williams — Fri, 16 Nov 2007 15:30:09 GMT

Sorry, for the web page. If possible I'd like to prevent the Insight Manager website from using weak encryption.

Re: Weak SSL ciphers

Daniel Leblanc — Fri, 16 Nov 2007 15:39:12 GMT

I am not sure but i have this web page that esplains the securite,
http://www.docs.hp.com/en/418811-002/ch01s08.html

PS:Don't ferget to apply you re points,there situated next to every message date and time as UNASSIGNED.

Dan

Re: Weak SSL ciphers

Rusty Williams — Fri, 16 Nov 2007 18:01:09 GMT

Let me explain more. I know that Insight Manager uses an embeded version of Tomcat. In a normal tomcat install, you can configure the .conf files to customize your site. I am wondering if I am able to access the conf files in the embeded tomcat. If I can, then I can configure them to not allow SSLv2.

Regarding points, which is better, low or high?

Re: Weak SSL ciphers

Daniel Leblanc — Mon, 19 Nov 2007 09:18:47 GMT

Always high ;)

Dan

Re: Weak SSL ciphers

Daniel Leblanc — Mon, 19 Nov 2007 09:35:33 GMT

Sorry Rusty, tried to find somethings in these isue,not many people have wanted to go there, i have up upgrade the securite between the server,because if you look at the information between HP sim server and HP client(SNMP) it using V1,yerk so i applied this way.

it could be weak cypher at the level of the web server,but at least it got one ;),between the server insight and it client majorite don't use securite.

http://support.microsoft.com/kb/324261/en-us

i configure a template and applied it every where.

Sorry can't help you if you get a final solution it would great if informe every body here,it will great.

Thank you and have a nice day.

Daniel

Re: Weak SSL ciphers

A. Edens — Mon, 19 Nov 2007 15:32:13 GMT

Rusty,

I believe the file you are looking for is:

C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\jbossweb-tomcat50.sar\server.xml.

In this file, there are 3 connectors defined for ports 50000, 50001 and 50002.

The last variable in each connector line is 'sslProtocol="XXX".

Here is a link to Apache Tomcat 5.5 and the SSL settings for it.

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

I can't tell you if simply defining a stronger sslProtcol will do what you want, since I am not willing to break my SIM installation trying. :)

Also, I suspect any changes you make to this file will get overwritten during upgrades, etc..

Good luck.

Re: Weak SSL ciphers

Rusty Williams — Mon, 19 Nov 2007 18:03:40 GMT

Thanks for the info. I had already poked my head around the server.xml file, but was afraid to make changes until I saw your post. Here's what I found: NOTHING WORKS.

Our security team would like to prevent insight manager from using SSLv2. I can't imagine just changing the ssl protocol from TLS to SSL would accomplish that. I tried specifying SSLv3, but that prevented insight manager from working. I also tried adding ciphers="blah,blah" where blah and blah equal different SSLv3 ciphers. Again, it just prevented insight manager from loading.

At this point, I've probably wasted too much time on this. Unless someone posts something spectacularly insightful, I'm calling this a lost cause.

Thanks for your help.

Re: Weak SSL ciphers

Phil McIlwraith — Tue, 16 Sep 2008 03:38:11 GMT

I have just implemented this. You are correct in the need to edit the servers.xml file.

I added the ciphers field and value pair as follows:
ciphers="SSL_RSA_WITH_RC4_128_MD5"

to the line:

You can add additional ciphers but I was happy to go with one I knew was available on all admin workstations.