1825668 Members
3524 Online
109686 Solutions
New Discussion

Migration IMC 7.2 to 7.3 problems ciphers

 
SOLVED
Go to solution
PierreP59
Occasional Advisor

Migration IMC 7.2 to 7.3 problems ciphers

Hi, 

I works actually on the upgrade at IMC 7.2 to 7.3.

I have Update :

 - iMC_PLAT_7.3_E0504_Std_Win
- iMC_NTA_7.3_E0504
- iMC_WSM_7.3_E0505
- iMC_SHM_7.3_E0502
- iMC_PLAT_7.3_E0506_Std_Win
- iMC_PLAT_7.3_E0605_Std_Win
- iMC_SHM_7.3_E0504
- iMC_PLAT_7.3_E0705_Std_Win
- iMC_PLAT_7.3_E0705P10_Patch_Win
- iMC_NTA_7.3_E0506
- iMC_NTA_7.3_E0509
- iMC_NTA_7.3_E0509P01

 

I add the ciphers on my file IMC/client/conf/server.xml : 

Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" clientAuth="false" compressableMimeType="text/html,text/xml,text/xhtml,text/css,text/javascript,text/plain" compression="on" compressionMinSize="2048" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="false" keystoreFile="security/newks" keystorePass="iMCV500R001" maxHttpHeaderSize="8192" maxPostSize="5242880" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"/>

then once a time upgrading 

- iMC_NTA_7.3_E0509 to iMC_NTA_7.3_E0509P01

by going to the site my browser loops on the link, shows me a blank page and by inspecting the element it is displayed Strict-Transport-Security the connection to the site is not trustworthy, Do you know if my ciphers are correct?

 

 

6 REPLIES 6
jguse
HPE Pro
Solution

Re: Migration IMC 7.2 to 7.3 problems ciphers

Hello,

What is the reason for editing the ciphers in server.xml manually? This should not be needed.

The only issue with SSL Ciphers that I know of is affecting IMC versions prior to 7.3 E0705. It's something you would fix before upgrading, and requires you to run the MSKBsC.exe included in the 'tools' folder of the iMC 7.3 E0605 download. Make sure to use the one in E0605 download and not from earlier versions, as the E0605 MSKBsC.exe is a newer version that automatically removes affected ciphers from the system for you.

As for the security warning, if you connect to IMC's Web GUI with HTTPS, you will always get a security certificate warning - that's normal as the default cert is Self-Signed, and you'd need to install your own trusted, signed cert to avoid such an error.

Best regards,
Justin

Working @ HPE
Accept or Kudo
PierreP59
Occasional Advisor

Re: Migration IMC 7.2 to 7.3 problems ciphers

Hi Justin, 

Thanks for your fast response

What is the reason for editing the ciphers in server.xml manually? 

After upgrade iMC_PLAT_7.3_E0605_Std_Win, this white page appeared i follow this : 

Solved: Re: Login page SSL error after upgrade to iMC PLA... - Hewlett Packard Enterprise Community (hpe.com)

denn93

Once the IMC web interface was up again, I continued with the updates.

 

I just ran MSKBsC.exe but it doesn't change the ciphers in my /IMC/client/conf/server.xml file and this MSKBsC .exe displays me : Check passed.

I totaly understand for the security warning, i accept the risk but once accepted the page remains blank

Best regards,

Pierre.

 

 

jguse
HPE Pro

Re: Migration IMC 7.2 to 7.3 problems ciphers

Hello,

Sorry for the delay. The edit to server.xml makes sense. Have you checked the current server.xml file in your iMC? It was likely overwritten after upgrade, so if you had to make changes to ciphers here to get the web interface working, perhaps it needs to be edited again?

The MSKBsC issue I was referring to is only relevant before you upgrade - once you are on E0705+ it's no longer affected.

If you still have issues, you can try to check iMC\client\log\imcforeground.log after you reproduce the issue and look for errors, as that's the web interface log. Otherwise you may need to open a support case to investigate this further.

Best regards,
Justin

Working @ HPE
Accept or Kudo
PierreP59
Occasional Advisor

Re: Migration IMC 7.2 to 7.3 problems ciphers

Hi

I retry the upgrade 7.2 to 7.3 

I have execute The MSKBsC (E605) before upgrade;
reboot my sever, then i have upgrade  in the order :
- iMC_PLAT_7.3_E0506_Std_Win
- iMC_PLAT_7.3_E0605_Std_Win
- iMC_PLAT_7.3_E0705_Std_Win
- iMC_PLAT_7.3_E0705P10_Patch_Win
- iMC_NTA_7.3_E0506
- iMC_WSM_7.3_E0505
- iMC_SHM_7.3_E0502
MSKB of (705) but the check if passed whitout correction

- iMC_NTA_7.3_E0509
- iMC_WSM_7.3_E0602
- iMC_WSM_7.3_E0604
- iMC_WSM_7.3_E0604P01
- iMC_NTA_7.3_E0509P01

so far ok but as soon as I upgrade shm 502 to 504 I find myself again with a blank page. I therefore returned to the state after the upgrade of the 509P01 and I would stop there for the upgrades.
Thanks for your help.

Best regards
Pierre

 

jguse
HPE Pro

Re: Migration IMC 7.2 to 7.3 problems ciphers

Hello,

Thanks for the details - I just realized which SHM version you are using there. It's numerous versions behind the IMC Platform and other modules you are using asnd isn't compatible with your platform. The latest version of SHM is 7.3 E0516 and is compatible with IMC 7.3 E0705P04 and later versions.

See: https://h10145.www1.hpe.com/downloads/SoftwareReleases.aspx?ProductNumber=JH710AAE

Can you please try upgrading SHM and see if that helps?

Best regards,
Justin

Working @ HPE
Accept or Kudo
PierreP59
Occasional Advisor

Re: Migration IMC 7.2 to 7.3 problems ciphers

hello justin,

version 502 is fine for me I don't have time to go to a higher high and in reality the mods are not used by the team. I now have another problem since version 7.3 the backups of my HPE switches no longer work via TFTP, or that I start the backup manually via IMC it informs me that the transmission protocol is not supported, while in version 7.2 it was working normally. do you know if things have changed?
I have an HPE 5120 switch and a 3600.

Best regards
Pierre