Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Access Administration
Novell Access Manager 3.1 Support Pack 4 applied
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Access Administration
Novell Access Manager 3.1 Support Pack 4 applied
Situation
A security scanner test was run against Novell Access Manager Identity (IDP) and Admin Console servers, where the CVE-2011-3389 vulnerability was reported. Mitigation of this vulnerability was needed to role Access Manager into production.
Resolution
Modified the server.xml on the IDP and Admin Console servers to include a list of strong ciphers required to mitigate the above CVE. The following snippet shows the list of ciphers that were enabled on the IDP server. The same list of ciphers needed to be added to the provider and consumer connectors (tcp port 8445/8446 respectively) too in order to pass the scanning test, even though introductions was not enabled on the IDP server (which activates the above ports).
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="200"
minSpareThreads="5" maxSpareThreads="50" enableLookups="false"
disableUploadTimeout="true" acceptCount="0" scheme="https" secure="tr
ue" clientAuth="false" sslProtocol="TLS" address="10.29.27.181"
NIDP_Name="connector" URIEncoding="utf-8" useBodyEncodingURI="false"
className="org.apache.coyote.tomcat5.CoyoteConnector" maxProcessors=
"200" allowUnsafeLegacyRenegotiation="true"
ciphers="TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_CDSA_WITH_AES_256CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256"
/>