Environment
Novell ZENworks Configuration Management 11.3
Situation
To fix the logjam vulnerability, platform vendors like Microsoft, Redhat etc released the security patches. After applying those patches, communication is lost between the primary servers, satellites and managed devices.
During registration attempt (zac reg) the following error can be seen:
During registration attempt (zac reg) the following error can be seen:
RegistrationManager - Network error connecting to server: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
Resolution
This is fixed in version 11.4 - see KB 7016614 "ZENworks Configuration Management 11 SP4 (11.4.0) - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7016614
Primary servers:
- Stop the ZENworks services on the Primary Server:
novell-zenworks-configure -c Start (select Stop and enter twice) - Make a Backup and edit the configuration files below:
Windows :
%ZENWORKS_HOME%\share\tomcat\conf\server.xml
%ZENWORKS_HOME%\share\ats\catalinabase\conf\server.xml
Linux:
/opt/novell/zenworks/share/tomcat/conf/server.xml
/srv/www/casaats/conf/server-sun.xml - Replace ciphers attribute with the list of ciphers suites below: SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256
- Start the ZENworks services:
novell-zenworks-configure -c Start (select Start and enter twice)
Authentication Satellite servers:
11.3.1:
If it is not possible to upgrade to ZCM 11.4 at this time, in the interim, Novell has made a Patch available for testing. It can be obtained at https://download.novell.com/Download?buildid=okaco1PldFk~ as "ZCM 11.3.1 Logjam Vulnerability Fix for Satellite Servers - TID 7016807". This update should only be applied if the symptoms above are being experienced, and are causing problems.
11.3.1 FRU1:
If it is not possible to upgrade to ZCM 11.4 at this time, in the interim, Novell has made a Patch available for testing. It can be obtained at https://download.novell.com/Download?buildid=pNXvVUtSbag~ as "ZCM 11.3.1 FRU1 Logjam Vulnerability Fix for Satellite Servers - TID 7016807". This update should only be applied if the symptoms above are being experienced, and are causing problems.
11.3.2:
If it is not possible to upgrade to ZCM 11.4 at this time, in the interim, Novell has made a Patch available for testing. It can be obtained at https://download.novell.com/Download?buildid=GDbiBPeAuw8~ as "ZCM 11.3.2 Logjam Vulnerability Fix for Satellite Servers - TID 7016807". This update should only be applied if the symptoms above are being experienced, and are causing problems.
11.3.2 FRU1:
If it is not possible to upgrade to ZCM 11.4 at this time, in the interim, Novell has made a Patch available for testing. It can be obtained at https://download.novell.com/Download?buildid=f72lm38lPbY~ as "ZCM 11.3.2 FRU1 Logjam Vulnerability Fix for Satellite Servers - TID 7016807". This update should only be applied if the symptoms above are being experienced, and are causing problems.
ZENworks Reporting Server (ZRS Jaspersoft):
Make a Backup and edit the configuration files below:
Windows :
C:\Program Files\novell\zenworks-reporting\js\apache-tomcat\conf\server.xml
Linux:
/opt/novell/zenworks-reporting/js/apache-tomcat/conf/server.xml
Under the section <Connector SSLEnabled="true"
add
ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256"
Additional Information
Known Problems and Limitations :
On RHEL Satellites with older openssl versions:
openssl-1.0.1e-15.el6.x86_64, or lower than openssl-1.0.1e-30.el6_6.11.x86_64
the FTF may break the agent to satellite communication over SSL.
To fix ,update the openssl package to the latest version on RHEL satellite and then verify the SSL communication. The latest openssl package openssl-1.0.1e-30.el6_6.11.x86_64 or higher would be available via the Red Hat Network.