Troubleshooting security issue
BMC Atrium Single Sign-On may encounter vulnerability related Poodle security when you are using BMC Atrium Single Sign-On on Tomcat server with SSL 3.0. The issue is currently open with a workaround. BMC Software provides a link on the BMC support site that displays the research status. For more information, see Poodle Vulnerability issue.
Issue
If you are using BMC Atrium Single Sign-On on Tomcat server with SSL 3.0, your application server may be vulnerable to Poodle security issue.
Resolution
You can disable the SSL 3.0 protocol by removing SSL3 from the sslEnabledProtocols="SSL3,TLSv1,TLSv1.1,TLSv1.2" parameter to Tomcat HTTPS connector.
Parameter description
sslEnabledProtocols — The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default is used. The permitted values may be obtained from the JVM documentation for the allowed values for SSLSocket.setEnabledProtocols() e.g. Oracle Java 6 and Oracle Java 7. Note: There is overlap between this attribute and sslProtocol.
Example
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="300" scheme="https" secure="true"
maxHttpHeaderSize="32768"
clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2">
For HA mode
In case of HA mode, you must perform some additional steps. SSL 3.0 must also be disabled on the load balancer instead of the server. The steps for disabling SSL 3.0 depends on the load balancer which is used. For example if apache httpd is used as load balancer for BMC Atrium Single Sign-On cluster, the following command works for the virtual host: SSLProtocol all -SSLv2 -SSLv3
.
<VirtualHost *:41443>
ProxyRequests off
SSLEngine on
SSLCertificateFile "C:\Program Files\Apache Software Foundation\Apache2.2\conf\ssl\publicCert.pem"
SSLCertificateKeyFile "C:\Program Files\Apache Software Foundation\Apache2.2\conf\ssl\privateKey.pem"
SSLProxyEngine On
SSLProxyCACertificateFile "C:\Program Files\Apache Software Foundation\Apache2.2\conf\ssl\targetServerCerts2.pem"
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/"
env=BALANCER_ROUTE_CHANGED
ProxyPreserveHost Off
SSLProtocol all -SSLv2 -SSLv3
<Proxy balancer://ssobalancer>
BalancerMember https://machine-03.bmc.com:8443 route=IP
BalancerMember https://machine.bmc.com:8443 route=IP
ProxySet stickysession=ROUTEID
</Proxy>
ProxyPass /atriumsso balancer://ssobalancer/atriumsso nofailover=off
ProxyPass /atriumsso/ balancer://ssobalancer/atriumsso nofailover=off
ProxyPassReverse /atriumsso balancer://ssobalancer/atriumsso nofailover=off
ProxyPassReverse /atriumsso/ balancer://ssobalancer/atriumsso
</VirtualHost>
For SAMLv2 authentication
If SAMLv2 authentication is used, then you should disable SSL 3.0 on Service Provider (SP) and Identity Provider (IdP) servers, and on agent server. If agent server has enabled SSL 3.0, you may encounter issues while creating user sessions. You can resolve this issue, by disabling SSL 3.0 support on agent’s Tomcat server. The steps are dependent on the type of server which used.
Comments
Log in or register to comment.