Community
Server Management - Systems Insight Manager
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Weak SSL ciphers

SOLVED
Go to solution
Rusty Williams
Rusty Williams
Occasional Contributor

‎11-15-2007 09:46 AM

‎11-15-2007 09:46 AM

Weak SSL ciphers

Can I configure Insight Manager 5.1 to avoid the use of weak SSL ciphers? Thanks.
0 Kudos
Reply
9 REPLIES
Daniel Leblanc
Daniel Leblanc
Honored Contributor

‎11-16-2007 04:36 AM

‎11-16-2007 04:36 AM

Re: Weak SSL ciphers

SSL cipher? for web page ,SNMP?

Dan
0 Kudos
Reply
Rusty Williams
Rusty Williams
Occasional Contributor

‎11-16-2007 07:30 AM

‎11-16-2007 07:30 AM

Re: Weak SSL ciphers

Sorry, for the web page. If possible I'd like to prevent the Insight Manager website from using weak encryption.
0 Kudos
Reply
Daniel Leblanc
Daniel Leblanc
Honored Contributor

‎11-16-2007 07:39 AM

‎11-16-2007 07:39 AM

Re: Weak SSL ciphers

I am not sure but i have this web page that esplains the securite,
http://www.docs.hp.com/en/418811-002/ch01s08.html

PS:Don't ferget to apply you re points,there situated next to every message date and time as UNASSIGNED.

Dan
0 Kudos
Reply
Rusty Williams
Rusty Williams
Occasional Contributor

‎11-16-2007 10:01 AM

‎11-16-2007 10:01 AM

Re: Weak SSL ciphers

Let me explain more. I know that Insight Manager uses an embeded version of Tomcat. In a normal tomcat install, you can configure the .conf files to customize your site. I am wondering if I am able to access the conf files in the embeded tomcat. If I can, then I can configure them to not allow SSLv2.

Regarding points, which is better, low or high?
0 Kudos
Reply
Daniel Leblanc
Daniel Leblanc
Honored Contributor

‎11-19-2007 01:18 AM

‎11-19-2007 01:18 AM

Re: Weak SSL ciphers

Always high ;)

Dan
0 Kudos
Reply
Daniel Leblanc
Daniel Leblanc
Honored Contributor

‎11-19-2007 01:35 AM

‎11-19-2007 01:35 AM

Re: Weak SSL ciphers

Sorry Rusty, tried to find somethings in these isue,not many people have wanted to go there, i have up upgrade the securite between the server,because if you look at the information between HP sim server and HP client(SNMP) it using V1,yerk so i applied this way.

it could be weak cypher at the level of the web server,but at least it got one ;),between the server insight and it client majorite don't use securite.

http://support.microsoft.com/kb/324261/en-us

i configure a template and applied it every where.

Sorry can't help you if you get a final solution it would great if informe every body here,it will great.

Thank you and have a nice day.

Daniel
0 Kudos
Reply
A. Edens
A. Edens
Frequent Advisor

‎11-19-2007 07:32 AM

‎11-19-2007 07:32 AM

Solution

Re: Weak SSL ciphers

Rusty,

I believe the file you are looking for is:

C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\jbossweb-tomcat50.sar\server.xml.

In this file, there are 3 connectors defined for ports 50000, 50001 and 50002.

The last variable in each connector line is 'sslProtocol="XXX".

Here is a link to Apache Tomcat 5.5 and the SSL settings for it.

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

I can't tell you if simply defining a stronger sslProtcol will do what you want, since I am not willing to break my SIM installation trying. :)

Also, I suspect any changes you make to this file will get overwritten during upgrades, etc..

Good luck.
Reply
Rusty Williams
Rusty Williams
Occasional Contributor

‎11-19-2007 10:03 AM

‎11-19-2007 10:03 AM

Re: Weak SSL ciphers

Thanks for the info. I had already poked my head around the server.xml file, but was afraid to make changes until I saw your post. Here's what I found: NOTHING WORKS.

Our security team would like to prevent insight manager from using SSLv2. I can't imagine just changing the ssl protocol from TLS to SSL would accomplish that. I tried specifying SSLv3, but that prevented insight manager from working. I also tried adding ciphers="blah,blah" where blah and blah equal different SSLv3 ciphers. Again, it just prevented insight manager from loading.

At this point, I've probably wasted too much time on this. Unless someone posts something spectacularly insightful, I'm calling this a lost cause.

Thanks for your help.
0 Kudos
Reply
Phil McIlwraith
Phil McIlwraith
Occasional Visitor

‎09-15-2008 08:38 PM

‎09-15-2008 08:38 PM

Re: Weak SSL ciphers

I have just implemented this. You are correct in the need to edit the servers.xml file.

I added the ciphers field and value pair as follows:
ciphers="SSL_RSA_WITH_RC4_128_MD5"

to the line:



You can add additional ciphers but I was happy to go with one I knew was available on all admin workstations.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.