HPE Community
Server Management - Systems Insight Manager
1820880 Members
3483 Online
109628 Solutions
New Discussion

HP SIM and TLS1.0/1.1

 
Ted Wood
Occasional Advisor

‎11-07-2023 02:20 PM - last edited on ‎11-21-2023 09:43 PM by

‎11-07-2023 02:20 PM - last edited on ‎11-21-2023 09:43 PM by

HP SIM and TLS1.0/1.1

Is it possible to configure HP SIM to NOT use TLS1.0 and TLS1.1?  Our internal security team is pressuring us to "remediate the TLS vulnerability on your system" before November 10th.

Reply
9 REPLIES 9
BPSingh
HPE Pro

‎11-15-2023 08:15 AM

‎11-15-2023 08:15 AM

Re: HP SIM and TLS1.0/1.1

Greetings!

The command "mxcipher -d" can be used to list what ciphers are in effect. Please check this first.We can get the ciphers used by SIM running command mxcipher –d. As per the update, we need to make SIM to use only ciphers showing TLSv1.2.Follow the actions below:<< Take a Valid Backup before making changes.1. Stop HPE SIM services.  msxtop
2. Make a secure copy of <SIM Install Directory>\Config\SecuritySettings.props.
3. Edit the file SecuritySettings.props then set as below
CIPHERS-USER=TLS_RSA_WITH_AES_128_CBC_SHA256  for example
4. Save the file.
5. Run the command mxcipher –e 2 which will update the cipher suites.
6. Restart HPE SIM services. mxstart
7. Run the command mxcipher –d which should show the selected ciphers are being used.After doing these changes SIM should be running only with TLSv1.2.Note:HPE SIM default ciphers are being used.
1. TLS_RSA_WITH_AES_128_CBC_SHA256 << tls1.2
2. TLS_RSA_WITH_AES_256_CBC_SHA  << tls1.0
3. TLS_RSA_WITH_AES_128_CBC_SHA << tls 1.0
4. SSL_RSA_WITH_RC4_128_MD5  << tls1.0
5. SSL_RSA_WITH_RC4_128_SHA << tls1.2



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Ted Wood
Occasional Advisor

‎11-15-2023 09:57 AM

‎11-15-2023 09:57 AM

Re: HP SIM and TLS1.0/1.1

I am able to change the cipher suite to "TLS_RSA_WITH_AES_128_CBC_SHA256" but when I try to open HP SIM I get a message "ERR_SSL_VERSION_OR_CIPHER_MISMATCH".

These are the cipher suites supported by my machine and "TLS_RSA_WITH_AES_128_CBC_SHA256" is among them.  What am I doing wrong?

PS Z:\> Get-TlsCipherSuite | Format-Table -Property CipherSuite, Name, hash

CipherSuite Name Hash
----------- ---- ----
0 TLS_AES_256_GCM_SHA384
0 TLS_AES_128_GCM_SHA256
49200 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
49199 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
49192 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 SHA384
49191 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 SHA256
49172 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SHA1
49171 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA SHA1
0 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
49195 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
49188 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 SHA384
49187 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SHA256
49162 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA SHA1
49161 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA SHA1
157 TLS_RSA_WITH_AES_256_GCM_SHA384
156 TLS_RSA_WITH_AES_128_GCM_SHA256
61 TLS_RSA_WITH_AES_256_CBC_SHA256 SHA256
60 TLS_RSA_WITH_AES_128_CBC_SHA256 SHA256
53 TLS_RSA_WITH_AES_256_CBC_SHA SHA1
47 TLS_RSA_WITH_AES_128_CBC_SHA SHA1
0 TLS_CHACHA20_POLY1305_SHA256
0 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

0 Kudos
Reply
BPSingh
HPE Pro

‎11-20-2023 12:17 AM

‎11-20-2023 12:17 AM

Re: HP SIM and TLS1.0/1.1


Greetings!

Please check if this is happening across different browsers.



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Ted Wood
Occasional Advisor

‎11-21-2023 11:23 AM

‎11-21-2023 11:23 AM

Re: HP SIM and TLS1.0/1.1

Yes, this happens with both Chrome and Edge browsers.

0 Kudos
Reply
BPSingh
HPE Pro

‎11-21-2023 09:41 PM

‎11-21-2023 09:41 PM

Re: HP SIM and TLS1.0/1.1

Greetings!

This needs to be investigated. Please logs a support case for further investigation. 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
Ted Wood
Occasional Advisor

‎11-22-2023 05:48 AM - last edited on ‎11-23-2023 09:46 PM by

‎11-22-2023 05:48 AM - last edited on ‎11-23-2023 09:46 PM by

Re: HP SIM and TLS1.0/1.1

@BPSingh 

Well, I seem to have messed up badly.  I added a cipher to the CIPHERS-USER parameter in SecuritySettings.prop and successfully ran mxcipher -e 2.  After I restarted the HP SIM service with mxstop/mxstart I could no longer connect to HP SIM from a browser, nor would HP SIM recognize mxcipher commands.  I tried to recover using my backup copy of SecuritySettings.prop but I get this message:

C:\Program Files\HP\Systems Insight Manager>mxcipher -e 1
There was a problem connecting to the HPE Systems Insight Manager server. Make sure that:
1. Your username has been added to HPE Systems Insight Manager.
2. Your username and password, if specified, are correctly spelled.
3. HPE Systems Insight Manager is running.
4. You used '--' for any long options and double quotes if your username includes a domain.
Example: <commandname> --user "mydomain\myusername" --pass mypassword

As far as I can tell, there was a typo in the cipher name that I added to the CIPHERS-USER parameter in SecuritySettings.prop but why would that cause HP SIM to go unresponsive?  Is there any way to recover from this?

 

0 Kudos
Reply
BPSingh
HPE Pro

‎11-24-2023 09:25 PM

‎11-24-2023 09:25 PM

Re: HP SIM and TLS1.0/1.1

Greetings!

This can also happen if the SIM database has been corrupted but you have already attempted to restore from backup but get the error that you mentioned.

Could you check if HP SIM service is up and running? Please restart the service and check.

If SIM version is 7.x, then please check this.

https://support.hpe.com/hpesc/public/docDisplay?docId=kc0102390en_us&docLocale=en_US



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
Ted Wood
Occasional Advisor

‎02-01-2024 01:45 PM - last edited on ‎02-01-2024 09:52 PM by

‎02-01-2024 01:45 PM - last edited on ‎02-01-2024 09:52 PM by

Re: HP SIM and TLS1.0/1.1

@BPSingh Thanks to everyone that his helped so far.  I was able to get the HP SIM installation recovered and to *mostly* use TLS 1.2.  However our security team again flagged my HP SIM server as using TLS 1.0 and 1.1.  Ports 50000, 50001, 50002 and 50005 are at TLS 1.2 or are not even using TLS but port 50004 is still using TLS 1.0 and 1.1.

A netstat shows that all of those ports are associated with the process ID of mxdomainmgr.exe.  Why would port 50004 be still using TLS 1.0 and 1.1???

This is starting to drive me a bit mental...

0 Kudos
Reply
BPSingh
HPE Pro

‎02-01-2024 11:51 PM

‎02-01-2024 11:51 PM

Re: HP SIM and TLS1.0/1.1

Greetings!

The port 50004 is only used for receiving WBEM events. If the vulnerability is reported only on this port, probably the port can be disabled as a workaround.

The file globalsettings.props has the setting WBEM_Indications_Listener_Port=50004, which enables the port.

Set the value to WBEM_Indications_Listener_Port=99999 and restart SIM , during SIM restart it can throw an error like( in mxdomainmgr log) that port is out of range and does not enable the port. This should not impact any other operations of SIM.



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.