DX Application Performance Management

Expand all | Collapse all

how to fix logjam vulnerability in introscope?

Jump to Best Answer
  • 1.  how to fix logjam vulnerability in introscope?

    Posted 09-22-2015 04:08 PM

    Hello guys,

     

    I'm using Introscope 9.7, with https enabled. I getting now, when using chrome, the following error:

     

    Server has a weak ephemeral Diffie-Hellman public key

    ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY


    Searching the error, this problem is about a vulnerability called "logjam"... Is there a fix for it to Introscope?


    Regards,


    Sean





  • 2.  Re: how to fix logjam vulnerability in introscope?

    Posted 09-22-2015 05:31 PM

    Hi Sean,

     

    please open a support ticket.

     

    Ciao,

    Guenter



  • 3.  Re: how to fix logjam vulnerability in introscope?

    Posted 09-24-2015 12:11 PM

    Logjam is not present in current versions of EEM.  



  • 4.  Re: how to fix logjam vulnerability in introscope?

    Posted 09-24-2015 12:39 PM

    Hi Sean:

       I am awaiting details on a workaround which I will write a KB on.

     

    Thanks

    Hal German



  • 5.  Re: how to fix logjam vulnerability in introscope?

    Posted 09-24-2015 09:28 PM

    Hi Sean,

    At a high level you can follow one of the approaches:

    -Assuming you are using default keystore and public key that ships with Introscope, you can update the keystore and create your own public\private key with a key length longer of 1024 or higher.

    For e.g Java Keytool utility can be used to create your own certificate and specify key size

    keytool-Key and Certificate Management Tool

    -Modify the webview-jetty-config.xml and specify exact Ciphersuite that you want to be excluded by the Webserver and include DHE based CipherSuites in the list for e.g TLS_DHE_RSA_WITH_AES_128_CBC_SHA.

     

    Regards,

    Kulbir.



  • 6.  Re: how to fix logjam vulnerability in introscope?
    Best Answer

    Posted 09-25-2015 05:00 PM

    Hi Sean:

    The KB is published but not yet accessible. It will be this URL

    http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/TEC1514135.aspx

     

    Here are the details (Some is a rehash of what Kulbir said.)

     

    Problem:

      Webview (HTTPS) error with Chrome/Firefox

      Users accessing CA APM WebView and/or Team Center see a browser error:  "Server has a weak ephemeral Diffie-Hellman public key." This is preventing use of the web applications.

       Below is a screen shot of the error message:

    Server Error.png
      Environment:
      Known releases impacted are APM 9.7 and 10.0 (including Java 1.7.0.21) using Chrome 45.0.2454.85 or Firefox 40.0.3 and later.  Older releases such as APM 9.6    may also be impacted.  On the browser side, Internet Explorer 11 may be impacted as well.

     

    C ause:

    - This is due to some recent attacks against TLS (e.g. "Logjam") which target the Diffie-Hellman key exchange algorithm when configured with an initial parameter   (prime "p") smaller than 1024 bits.

    What happens is that some of the latest browser updates lockout users when trying to connect to servers configured with weak Diffie-Hellman primes.  These  browsers have been updated to disallow such connections.  This is not a problem in APM, but is caused by an updated mechanism in the way browsers handle  encryption handshakes.  

     

    Resolution/Workaround:

    For users of CA APM 9.7 and 10.0, do one of the following:


    1. Set the “-DephemeralDHKeySize=1024” property. This requires Java 7u85 or above.

    Add the above setting to lax.nl.java.option.additional section in Introscope_WebView.lax

    If the EM is configured to run as a service on Windows, add the following to <EM HOME>/bin/WVService.conf.  In the below example, .4 is the last item in the wrapper.java.additional parameters.  Your setup may vary, so choose the highest number according to your WVService.conf file setup.

    wrapper.java.additional.4=-DephemeralDHKeySize=1024

     

    Note: CA APM 10.1 will be updated with a newer version of java 8 that will not be affected by this issue.

     

    2. Configure Jetty to use the ciphersuites below:

    Update the config/webview-jetty-config.xml file and replace the cipher suite configuration to:

        <Set name="cipherSuites">
            <Array type="java.lang.String">
                <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
                <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
                <Item>TLS_EMPTY_RENEGOTIATION_INFO_SCSV</Item>
            </Array>
        </Set>

    Note: Don't forget to uncomment those lines by removing the leading <-- and trailing -->.

    Additional Information:

    - https://weakdh.org/ -- Weak Diffie-Hellman and the Logjam Attack
    - https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange -- Diffie Hellman.