Solved: Weak SSL ciphers

Rusty Williams · ‎11-15-2007

Can I configure Insight Manager 5.1 to avoid the use of weak SSL ciphers? Thanks.

Daniel Leblanc · ‎11-16-2007

SSL cipher? for web page ,SNMP?

Dan

Rusty Williams · ‎11-16-2007

Sorry, for the web page. If possible I'd like to prevent the Insight Manager website from using weak encryption.

Daniel Leblanc · ‎11-16-2007

I am not sure but i have this web page that esplains the securite,
http://www.docs.hp.com/en/418811-002/ch01s08.html

PS:Don't ferget to apply you re points,there situated next to every message date and time as UNASSIGNED.

Dan

Rusty Williams · ‎11-16-2007

Let me explain more. I know that Insight Manager uses an embeded version of Tomcat. In a normal tomcat install, you can configure the .conf files to customize your site. I am wondering if I am able to access the conf files in the embeded tomcat. If I can, then I can configure them to not allow SSLv2.

Regarding points, which is better, low or high?

Daniel Leblanc · ‎11-19-2007

Always high ;)

Dan

Daniel Leblanc · ‎11-19-2007

Sorry Rusty, tried to find somethings in these isue,not many people have wanted to go there, i have up upgrade the securite between the server,because if you look at the information between HP sim server and HP client(SNMP) it using V1,yerk so i applied this way.

it could be weak cypher at the level of the web server,but at least it got one ;),between the server insight and it client majorite don't use securite.

http://support.microsoft.com/kb/324261/en-us

i configure a template and applied it every where.

Sorry can't help you if you get a final solution it would great if informe every body here,it will great.

Thank you and have a nice day.

Daniel

A. Edens · ‎11-19-2007

Rusty,

I believe the file you are looking for is:

C:\Program Files\HP\Systems Insight Manager\jboss\server\hpsim\deploy\jbossweb-tomcat50.sar\server.xml.

In this file, there are 3 connectors defined for ports 50000, 50001 and 50002.

The last variable in each connector line is 'sslProtocol="XXX".

Here is a link to Apache Tomcat 5.5 and the SSL settings for it.

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

I can't tell you if simply defining a stronger sslProtcol will do what you want, since I am not willing to break my SIM installation trying. :)

Also, I suspect any changes you make to this file will get overwritten during upgrades, etc..

Good luck.

Rusty Williams · ‎11-19-2007

Thanks for the info. I had already poked my head around the server.xml file, but was afraid to make changes until I saw your post. Here's what I found: NOTHING WORKS.

Our security team would like to prevent insight manager from using SSLv2. I can't imagine just changing the ssl protocol from TLS to SSL would accomplish that. I tried specifying SSLv3, but that prevented insight manager from working. I also tried adding ciphers="blah,blah" where blah and blah equal different SSLv3 ciphers. Again, it just prevented insight manager from loading.

At this point, I've probably wasted too much time on this. Unless someone posts something spectacularly insightful, I'm calling this a lost cause.

Thanks for your help.

Phil McIlwraith · ‎09-15-2008

I have just implemented this. You are correct in the need to edit the servers.xml file.

I added the ciphers field and value pair as follows:
ciphers="SSL_RSA_WITH_RC4_128_MD5"

to the line:

You can add additional ciphers but I was happy to go with one I knew was available on all admin workstations.

Weak SSL ciphers

Weak SSL ciphers

Re: Weak SSL ciphers

Re: Weak SSL ciphers

Re: Weak SSL ciphers

Re: Weak SSL ciphers

Re: Weak SSL ciphers

Re: Weak SSL ciphers

Re: Weak SSL ciphers

Re: Weak SSL ciphers

Re: Weak SSL ciphers

Hewlett Packard Enterprise International