This documentation supports the 8.1 version of BMC Atrium Single Sign-On.

To view the latest version, select the version from the Product version menu.

Troubleshooting security issue

BMC Atrium Single Sign-On may encounter vulnerability related Poodle security when you are using BMC Atrium Single Sign-On on Tomcat server with SSL 3.0. The issue is currently open with a workaround. BMC Software provides a link on the BMC support site that displays the research status.  For more information, see Poodle Vulnerability issue.

Issue

If you are using BMC Atrium Single Sign-On on Tomcat server with SSL 3.0, your application server may be vulnerable to Poodle security issue.

Resolution

You can disable the SSL 3.0 protocol by removing SSL3 from the sslEnabledProtocols="SSL3,TLSv1,TLSv1.1,TLSv1.2" parameter to Tomcat HTTPS connector.

Parameter description

sslEnabledProtocols — The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default is used. The permitted values may be obtained from the JVM documentation for the allowed values for SSLSocket.setEnabledProtocols() e.g. Oracle Java 6 and Oracle Java 7. Note: There is overlap between this attribute and sslProtocol.

Example

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="300" scheme="https" secure="true"
               maxHttpHeaderSize="32768"
               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2">

For HA mode

In case of HA mode, you must perform some additional steps. SSL 3.0 must also be disabled on the load balancer instead of the server. The steps for disabling SSL 3.0 depends on the load balancer which is used. For example if apache httpd is used as load balancer for BMC Atrium Single Sign-On cluster, the following command works for the virtual host: SSLProtocol all -SSLv2 -SSLv3.

<VirtualHost *:41443> 

  ProxyRequests off
  SSLEngine on
  SSLCertificateFile "C:\Program Files\Apache Software Foundation\Apache2.2\conf\ssl\publicCert.pem"
  SSLCertificateKeyFile "C:\Program Files\Apache Software Foundation\Apache2.2\conf\ssl\privateKey.pem"
  SSLProxyEngine On
  SSLProxyCACertificateFile "C:\Program Files\Apache Software Foundation\Apache2.2\conf\ssl\targetServerCerts2.pem"
  Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" 
  env=BALANCER_ROUTE_CHANGED

  ProxyPreserveHost Off

  SSLProtocol all -SSLv2 -SSLv3

  <Proxy balancer://ssobalancer>
    BalancerMember https://machine-03.bmc.com:8443 route=IP
    BalancerMember https://machine.bmc.com:8443 route=IP
    ProxySet stickysession=ROUTEID
  </Proxy>

  ProxyPass /atriumsso balancer://ssobalancer/atriumsso nofailover=off
  ProxyPass /atriumsso/ balancer://ssobalancer/atriumsso nofailover=off

  ProxyPassReverse /atriumsso balancer://ssobalancer/atriumsso nofailover=off
  ProxyPassReverse /atriumsso/ balancer://ssobalancer/atriumsso


</VirtualHost>

For SAMLv2 authentication

If SAMLv2 authentication is used, then you should disable SSL 3.0 on Service Provider (SP) and Identity Provider (IdP) servers, and on agent server. If agent server has enabled SSL 3.0, you may encounter issues while creating user sessions. You can resolve this issue, by disabling SSL 3.0 support on agent’s Tomcat server. The steps are dependent on the type of server which used.

Was this page helpful? Yes No Submitting... Thank you

Comments