Environment
NetIQ Sentinel 7.0
NetIQ Sentinel 7.1
NetIQ Sentinel 7.2.1
NetIQ Sentinel 7.1
NetIQ Sentinel 7.2.1
Situation
There is a security vulnerability identified with SSL
protocols(both v2.0 and v3.0) that allows attackers to derive the
plain text of secure connections.
For more information on this vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
For more information on this vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
Resolution
As of Sentinel 7.2.2 and 7.3 releases, all SSL vulnerabilities for v2.0 and
v3.0 related to 'Poodle' have been removed from our core servers.
If, however, you are running a version prior to the aforementioned, we recommend that you enable FIPS 140-2 mode on Sentinel to prevent usage of SSL protocols. With FIPS 140-2 mode enabled, all SSL v2.0 and SSL v3.0 protocols and ciphers are disabled for the Sentinel Core server ports. Also, FIPS mode effectively prevents a "fallback" to SSL protocols.
If, however, you are running a version prior to the aforementioned, we recommend that you enable FIPS 140-2 mode on Sentinel to prevent usage of SSL protocols. With FIPS 140-2 mode enabled, all SSL v2.0 and SSL v3.0 protocols and ciphers are disabled for the Sentinel Core server ports. Also, FIPS mode effectively prevents a "fallback" to SSL protocols.
Steps for
Enabling FIPS 140-2 Mode on Sentinel Servers
-
Log in to the Sentinel server.
-
Switch to novelluser (su novell).
-
Browse to the Sentinel bin directory. The default location is /opt/novell/sentinel/bin
-
Run the convert_to_fips.shscript and follow the on-screen instructions.
-
Log in to RCM/RCE.
-
Switch to novelluser (su novell).
-
Browse to the Sentinel bin directory. (cd /opt/novell/sentinel/bin)
-
Run the convert_to_fips.shscript and follow the on-screen instructions. (./convert_to_fips.sh)