Environment
Novell ZENworks Configuration Management 11.3
Novell ZENworks Configuration Management 11.2
Novell ZENworks Configuration Management 11.1
Novell ZENworks Configuration Management 11
Situation
After applying the SSL settings changes for Schannel workaround to FREAK from "Microsoft Security Advisory 3046015" https://technet.microsoft.com/library/security/3046015#_Apply_Workarounds or https://technet.microsoft.com/en-us/library/security/ms15-031.aspx ZENworks agents will fail to communicate to the zone on SSL port.
NOTE: This problem does not occur after applying the fix for MS15-031, just the workaround.
NOTE: This problem does not occur after applying the fix for MS15-031, just the workaround.
ERROR: (from zmd-messages.log):
[DEBUG] [03/09/2015 09:08:41.056] [13072] [ZenworksWindowsService] [44] [] [ConnectMan-ping] [] [web request exception: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetResponse()
Resolution
This is fixed in version 11.4 - see KB 7016614 "ZENworks Configuration Management 11 SP4 (11.4.0) - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7016614
- Navigate to the tomcat conf folder:
Windows: %ZENWORKS_HOME%\share\tomcat\conf
Linux: /opt/novell/zenworks/share/tomcat/conf - Make a backup of server.xml
- Modify server.xml as follows:
Find the section within the tag <Connector port="443" starting with ciphers=" - Within the ciphers=" section add more ciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
NOTE: Ensure that the final list of ciphers is comma delimited and enclosed by double quotes to preserve the original format. - For external casa service do the same (backup and modify) for the following files:
Windows: %ZENWORKS_HOME%\share\ats\catalinabase\conf\server.xml
Linux:
go to /srv/www/casaats/conf
Get a listing to find the file used by soft link for server.xml. Example: server.xml -> /srv/www/casaats/conf/server-sun.xml
Backup and modify the original file (for the example above /srv/www/casaats/conf/server-sun.xml)
make the changes to add the new ciphers. - Restart the ZENworks services (novell-zenworks-configure -c Start select restart and enter twice).