Please enter search query.
Search <product_name> all support & community content...
Article: 100032678
Last Published: 2016-07-05
Ratings: 0 0
Product(s): ApplicationHA
Problem
Running a security vulnerability scan on networks that have Application HA guests can result in SSLv3 POODLE attack flags on the xptrld process that is part of the Application HA console and guests.Cause
The xptrld process has the SSLv3 transport method enabled and will be flagged on security scans.Solution
Disabling SSLv3 on the Application HA console:- Open the server.xml located at %vcs_root%\ApplicationHA\tomcat\conf.
- Add the following line after the sslProtocol=”TLS” section:
Example config section:
<Connector port="${ssl.port}" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" allowUnsafeLegacyRenegotiation="false" keystoreFile="${tomcat.home}/cert/.keystore" compression="on" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript" URIEncoding="UTF-8" keystorePass="cortech"/>
- Restart the Application HA service.
- To verify that SSLv3 has been disabled from a Windows machine, install the OpenSSL binaries and run the following command:
If SSLv3 is disabled, the command should return routines:SSL3_GET_RECORD:wrong version number. The same command can be run from a Linux machine with openssl installed.
Disabling SSLv3 on Application HA guests:
- Upgrade the VRTSsfmh installation to version 7.1. This can be found on SORT (https://sort.veritas.com/) after you’ve logged into your Veritas account. It can also be downloaded from the following public location: https://www.veritas.com/content/trial/en/us/veritas-infoscale-operations-manager. Be sure to run the installer as an administrator on a Windows machine.
- To verify that SSLv3 has been disabled from a Windows machine, install the OpenSSL binaries and run the following command:
If SSLv3 is disabled, the command should return a “handshake failure”. The same command can be run from a Linux machine with openssl installed. Note: The new version of the VRTSsfmh package (xprtld) uses SHA-2 signature algorithm.
Disabling weak ciphers:
- Navigate to C:\ProgramData\veritas\VRTSsfmh\sec\systemprofile\ and open VRTSatlocal.conf.
- Find the following: SSLCipherSuite"="HIGH:MEDIUM:!eNULL:!aNULL:!SSLv2 and replace it with SSLCipherSuite"="HIGH:MEDIUM:!RC4:!eNULL:!aNULL:!SSLv2
- Restart the Veritas Storage Foundation Messaging service. ie. xprtld service.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.