topic Re: HP SIM and TLS1.0/1.1 in Server Management - Systems Insight Manager

HP SIM and TLS1.0/1.1

Ted Wood — Wed, 22 Nov 2023 05:43:41 GMT

Is it possible to configure HP SIM to NOT use TLS1.0 and TLS1.1? Our internal security team is pressuring us to "remediate the TLS vulnerability on your system" before November 10th.

Re: HP SIM and TLS1.0/1.1

BPSingh — Wed, 15 Nov 2023 16:15:18 GMT

Greetings!

The command "mxcipher -d" can be used to list what ciphers are in effect. Please check this first.We can get the ciphers used by SIM running command mxcipher –d. As per the update, we need to make SIM to use only ciphers showing TLSv1.2.Follow the actions below:<< Take a Valid Backup before making changes.1. Stop HPE SIM services. msxtop
2. Make a secure copy of <SIM Install Directory>\Config\SecuritySettings.props.
3. Edit the file SecuritySettings.props then set as below
CIPHERS-USER=TLS_RSA_WITH_AES_128_CBC_SHA256 for example
4. Save the file.
5. Run the command mxcipher –e 2 which will update the cipher suites.
6. Restart HPE SIM services. mxstart
7. Run the command mxcipher –d which should show the selected ciphers are being used.After doing these changes SIM should be running only with TLSv1.2.Note:HPE SIM default ciphers are being used.
1. TLS_RSA_WITH_AES_128_CBC_SHA256 << tls1.2
2. TLS_RSA_WITH_AES_256_CBC_SHA << tls1.0
3. TLS_RSA_WITH_AES_128_CBC_SHA << tls 1.0
4. SSL_RSA_WITH_RC4_128_MD5 << tls1.0
5. SSL_RSA_WITH_RC4_128_SHA << tls1.2

Re: HP SIM and TLS1.0/1.1

Ted Wood — Wed, 15 Nov 2023 17:57:44 GMT

I am able to change the cipher suite to "TLS_RSA_WITH_AES_128_CBC_SHA256" but when I try to open HP SIM I get a message "ERR_SSL_VERSION_OR_CIPHER_MISMATCH".

These are the cipher suites supported by my machine and "TLS_RSA_WITH_AES_128_CBC_SHA256" is among them. What am I doing wrong?

PS Z:\> Get-TlsCipherSuite | Format-Table -Property CipherSuite, Name, hash

CipherSuite Name Hash
----------- ---- ----
0 TLS_AES_256_GCM_SHA384
0 TLS_AES_128_GCM_SHA256
49200 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
49199 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
49192 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SHA384
49191 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SHA256
49172 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SHA1
49171 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SHA1
0 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
49195 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
49188 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SHA384
49187 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SHA256
49162 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SHA1
49161 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SHA1
157 TLS_RSA_WITH_AES_256_GCM_SHA384
156 TLS_RSA_WITH_AES_128_GCM_SHA256
61 TLS_RSA_WITH_AES_256_CBC_SHA256 SHA256
60 TLS_RSA_WITH_AES_128_CBC_SHA256 SHA256
53 TLS_RSA_WITH_AES_256_CBC_SHA SHA1
47 TLS_RSA_WITH_AES_128_CBC_SHA SHA1
0 TLS_CHACHA20_POLY1305_SHA256
0 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Re: HP SIM and TLS1.0/1.1

BPSingh — Mon, 20 Nov 2023 08:17:04 GMT

Greetings!

Please check if this is happening across different browsers.

Re: HP SIM and TLS1.0/1.1

Ted Wood — Tue, 21 Nov 2023 19:23:53 GMT

Yes, this happens with both Chrome and Edge browsers.

Re: HP SIM and TLS1.0/1.1

BPSingh — Wed, 22 Nov 2023 05:41:47 GMT

Greetings!

This needs to be investigated. Please logs a support case for further investigation.

Re: HP SIM and TLS1.0/1.1

Ted Wood — Fri, 24 Nov 2023 05:46:19 GMT

@BPSingh

Well, I seem to have messed up badly. I added a cipher to the CIPHERS-USER parameter in SecuritySettings.prop and successfully ran mxcipher -e 2. After I restarted the HP SIM service with mxstop/mxstart I could no longer connect to HP SIM from a browser, nor would HP SIM recognize mxcipher commands. I tried to recover using my backup copy of SecuritySettings.prop but I get this message:

C:\Program Files\HP\Systems Insight Manager>mxcipher -e 1
There was a problem connecting to the HPE Systems Insight Manager server. Make sure that:
1. Your username has been added to HPE Systems Insight Manager.
2. Your username and password, if specified, are correctly spelled.
3. HPE Systems Insight Manager is running.
4. You used '--' for any long options and double quotes if your username includes a domain.
Example: <commandname> --user "mydomain\myusername" --pass mypassword

As far as I can tell, there was a typo in the cipher name that I added to the CIPHERS-USER parameter in SecuritySettings.prop but why would that cause HP SIM to go unresponsive? Is there any way to recover from this?

Re: HP SIM and TLS1.0/1.1

BPSingh — Sat, 25 Nov 2023 05:25:41 GMT

Greetings!

This can also happen if the SIM database has been corrupted but you have already attempted to restore from backup but get the error that you mentioned.

Could you check if HP SIM service is up and running? Please restart the service and check.

If SIM version is 7.x, then please check this.

https://support.hpe.com/hpesc/public/docDisplay?docId=kc0102390en_us&docLocale=en_US

Re: HP SIM and TLS1.0/1.1

Ted Wood — Fri, 02 Feb 2024 05:52:50 GMT

@BPSingh Thanks to everyone that his helped so far. I was able to get the HP SIM installation recovered and to *mostly* use TLS 1.2. However our security team again flagged my HP SIM server as using TLS 1.0 and 1.1. Ports 50000, 50001, 50002 and 50005 are at TLS 1.2 or are not even using TLS but port 50004 is still using TLS 1.0 and 1.1.

A netstat shows that all of those ports are associated with the process ID of mxdomainmgr.exe. Why would port 50004 be still using TLS 1.0 and 1.1???

This is starting to drive me a bit mental...

Re: HP SIM and TLS1.0/1.1

BPSingh — Fri, 02 Feb 2024 07:51:56 GMT

Greetings!

The port 50004 is only used for receiving WBEM events. If the vulnerability is reported only on this port, probably the port can be disabled as a workaround.

The file globalsettings.props has the setting WBEM_Indications_Listener_Port=50004, which enables the port.

Set the value to WBEM_Indications_Listener_Port=99999 and restart SIM , during SIM restart it can throw an error like( in mxdomainmgr log) that port is out of range and does not enable the port. This should not impact any other operations of SIM.