×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Out of support

 

This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.
BMC Atrium Single Sign-On 8.1 Troubleshooting

Troubleshooting security issue

BMC Atrium Single Sign-On may encounter vulnerability related Poodle security when you are using BMC Atrium Single Sign-On on Tomcat server with SSL 3.0. The issue is currently open with a workaround. BMC Software provides a link on the BMC support site that displays the research status.  For more information, see Poodle Vulnerability issue.

Issue

If you are using BMC Atrium Single Sign-On on Tomcat server with SSL 3.0, your application server may be vulnerable to Poodle security issue.

Resolution

You can disable the SSL 3.0 protocol by removing SSL3 from the sslEnabledProtocols="SSL3,TLSv1,TLSv1.1,TLSv1.2" parameter to Tomcat HTTPS connector.

Parameter description

sslEnabledProtocols — The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default is used. The permitted values may be obtained from the JVM documentation for the allowed values for SSLSocket.setEnabledProtocols() e.g. Oracle Java 6 and Oracle Java 7. Note: There is overlap between this attribute and sslProtocol.

Example

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="300" scheme="https" secure="true"
               maxHttpHeaderSize="32768"
               clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2">

For HA mode

In case of HA mode, you must perform some additional steps. SSL 3.0 must also be disabled on the load balancer instead of the server. The steps for disabling SSL 3.0 depends on the load balancer which is used. For example if apache httpd is used as load balancer for BMC Atrium Single Sign-On cluster, the following command works for the virtual host: SSLProtocol all -SSLv2 -SSLv3.

<VirtualHost *:41443> 

  ProxyRequests off
  SSLEngine on
  SSLCertificateFile "C:\Program Files\Apache Software Foundation\Apache2.2\conf\ssl\publicCert.pem"
  SSLCertificateKeyFile "C:\Program Files\Apache Software Foundation\Apache2.2\conf\ssl\privateKey.pem"
  SSLProxyEngine On
  SSLProxyCACertificateFile "C:\Program Files\Apache Software Foundation\Apache2.2\conf\ssl\targetServerCerts2.pem"
  Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" 
  env=BALANCER_ROUTE_CHANGED

  ProxyPreserveHost Off

  SSLProtocol all -SSLv2 -SSLv3

  <Proxy balancer://ssobalancer>
    BalancerMember https://machine-03.bmc.com:8443 route=IP
    BalancerMember https://machine.bmc.com:8443 route=IP
    ProxySet stickysession=ROUTEID
  </Proxy>

  ProxyPass /atriumsso balancer://ssobalancer/atriumsso nofailover=off
  ProxyPass /atriumsso/ balancer://ssobalancer/atriumsso nofailover=off

  ProxyPassReverse /atriumsso balancer://ssobalancer/atriumsso nofailover=off
  ProxyPassReverse /atriumsso/ balancer://ssobalancer/atriumsso


</VirtualHost>

For SAMLv2 authentication

If SAMLv2 authentication is used, then you should disable SSL 3.0 on Service Provider (SP) and Identity Provider (IdP) servers, and on agent server. If agent server has enabled SSL 3.0, you may encounter issues while creating user sessions. You can resolve this issue, by disabling SSL 3.0 support on agent’s Tomcat server. The steps are dependent on the type of server which used.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Abhay Chokshi on Dec 10, 2014
troubleshooting

Comments

Log in or register to comment.

Resolving installation issues on LINUX operating system
Known and corrected issues
© Copyright 2013 - 2017 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.