Environment
NetIQ Access Manager 4.0
Situation
PEN test carried out on NAM environment before going live. The main concern returned was with the following:
Secure Client-Initiated Renegotiation Supported DoS DANGER (more info)
Insecure Client-Initiated Renegotiation Supported INSECURE (more info)
More info can be found on their site https://community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
Client-Initiated Renegotiation should be disabled by default, yet with the Identity Server on NAM 4.0, it was enabled.
Secure Client-Initiated Renegotiation Supported DoS DANGER (more info)
Insecure Client-Initiated Renegotiation Supported INSECURE (more info)
More info can be found on their site https://community.qualys.com/blogs/securitylabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered
Client-Initiated Renegotiation should be disabled by default, yet with the Identity Server on NAM 4.0, it was enabled.
Resolution
Modify /opt/novell/nam/idp/conf/tomcat7.conf on NAM 4.0 IDP to disable support for Client-Initiated Renegotiation
JAVA_OPTS="${JAVA_OPTS} -Dsun.security.ssl.allowUnsafeRenegotiation=true"
Note:
a) this does not exist with the NAM or AG appliance
b) this is fixed in 4.1.
JAVA_OPTS="${JAVA_OPTS} -Dsun.security.ssl.allowUnsafeRenegotiation=true"
Note:
a) this does not exist with the NAM or AG appliance
b) this is fixed in 4.1.