After applying Microsoft Schannel workaround Security Advisory 3046015 ZENworks managed devices cannot communicate with the zone

  • 7016268
  • 06-Mar-2015
  • 03-Aug-2015

Environment


Novell ZENworks Configuration Management 11.3
Novell ZENworks Configuration Management 11.2
Novell ZENworks Configuration Management 11.1
Novell ZENworks Configuration Management 11

Situation

After applying the SSL settings changes for Schannel workaround to FREAK from "Microsoft Security Advisory 3046015" https://technet.microsoft.com/library/security/3046015#_Apply_Workarounds  or https://technet.microsoft.com/en-us/library/security/ms15-031.aspx ZENworks agents will fail to communicate to the zone on SSL port.

NOTE:  This problem does not occur after applying the fix for MS15-031, just the workaround.

ERROR:  (from zmd-messages.log):

[DEBUG] [03/09/2015 09:08:41.056] [13072] [ZenworksWindowsService] [44] [] [ConnectMan-ping] [] [web request exception: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
   at System.Net.HttpWebRequest.GetResponse()

Resolution

This is fixed in version 11.4 - see KB 7016614 "ZENworks Configuration Management 11 SP4 (11.4.0) - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7016614


Workaround only for Primary Servers (Authentication Satellites do not need any change)

  1. Navigate to the tomcat conf folder:
    Windows:  %ZENWORKS_HOME%\share\tomcat\conf
    Linux: /opt/novell/zenworks/share/tomcat/conf
  2. Make a backup of server.xml
  3. Modify server.xml as follows:
    Find the section within the tag <Connector port="443" starting with ciphers="
  4. Within the ciphers=" section add more ciphers:  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    NOTE:  Ensure that the final list of ciphers is comma delimited and enclosed by double quotes to preserve the original format.
  5. For external casa service do the same (backup and modify) for the following files:
    Windows:  %ZENWORKS_HOME%\share\ats\catalinabase\conf\server.xml
    Linux: 
    go to /srv/www/casaats/conf 
    Get a listing to find the file used by soft link for server.xml.  Example:  server.xml -> /srv/www/casaats/conf/server-sun.xml
    Backup and modify the original file (for the example above /srv/www/casaats/conf/server-sun.xml)
    make the changes to add the new ciphers.
  6. Restart the ZENworks services (novell-zenworks-configure -c Start  select restart and enter twice).