CA Service Management

We have followed the steps provided by CA Level 2 team as well as CA Support to disable SSL v3.0 on IIS and tomcat for CA Service Desk Manager r12.7 as well as r12.9.

However, we face few issues -

1. For IIS despite having disabled SSL v2.0 / SSL v3.0, disabling weak ciphers, tests on ssllabs.com still does not detect that SSL v3.0 is "disabled". Has anyone else faced similar problem? If yes, what was the solution?

For IIS Registry changes were made.

2. For tomcat, once the steps were performed, am unable to perform tests, on poodlebleed.com and similar sites, since it times out. Also post the changes to server.xml we have also run pdm_configure to redeploy tomcat, as advised by CA support but still CASDM over port 8443 remain inaccessible. When I revert the changes that were done to server.xml, sdm can be accessed over 8443 without any issues. Unsure what's causing the issue here.

To be noted that SDM remains accessible over port 8080 even after changes to sever.xml to disabled SSL 3.0@ !

Changes to server.xml -

Added  below to the snippet for 8443.

sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2,TLSv1.1" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"

Thanks,

Ashutosh

So today we finally got it to work.

There were 2 issues. Though we got it right at IIS level settings at first go the reason we kept failing on ssllabs test / poodlebleed.com tests was since at loadbalancer level SSL3 ciphers were still listed under list of SSL ciphers available to clients.

The issue around tomcat was the server.xml changes. What CA suggested -

slProtocol = “TLS” sslEnabledProtocols = “TLSv1.2,TLSv1.1,TLSv1”

the changes I made today, after going through the tomcat apache website and various other references collected over yesterday.

slProtocols = “TLSv1.2,TLSv1.1,TLSv1”

and now we are able to access the CASDM over 8443 using VIP and were also able to clear the poodlebleed.com test over 8443 for SSL 3.0.

I know what this thread is a bit outdated, but we are experiencing the following errors with the latest version of Firefox 39.0 in our CA Service Desk 12.1 instances:

"Secure Connection Failed

An error occurred during a connection to srs. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

  Please contact the website owners to inform them of this problem."

I have not been able to find any cipher fixes for CA Service Desk as the Firefox updates have just come through yesterday.

After reading forums from other apps, their fixes have been to update the cipher keys similar to what has been done here.

Is this something that I can also do in our instance of CA Service Desk to fix our weak encryption ciphers?

If so, do I just update the server.xml file as posted above and restart the application?

We juts applied the following fix(the ciphers section in bold, the rest is just generic ssl connector setup) to our ssl connectors in server.xml for SDM (make sure to check all your tomcat instances, (both CATALINA_BASE and CATALINA_BASE_SA for us)):

Also not sure if required or not, but you may need to also apply the enhanced cryptographic package for java 7 to your CA\SC\JRE\1.7.0_10\lib\security directory (can be found here: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html) if in the US