SSL vulnerability in Tivoli Monitoring Agent

Question

I am fixing some deviations on a windows server 2008, and in the scan results the vulnerability SSL Enabled Server Supports Medium Strength SSL Encryption Certificates/Ciphers appeared in port 7756. The application that is running in that port is kntcma(Tivoli Monitoring agent). I tried to fix this by going to TEMS->Advanced->Edit variables and add the next lines:

GSK_PROTOCOL_SSLV2=OFF
GSK_PROTOCOL_SSLV3=ON
GSK_V3_CIPHER_SPECS="350A"

Then I restarted the agent and thought that would be enough to solve the vulnerability, but it didn't. The deviation continues to appear and I don't know what else to do to fix it

Answer 1

You can use certificates... here are some steps to recreate the security certificates:

a) Set properties:

C:\\IBM\\ITM\\InstallITM\\GetGSKitHome.bat -> add the output at the beginning of the PATH

example:

set PATH=C:\\IBM\\ITM\\GSK7;C:\\IBM\\ITM\\GSK7\\lib;C:\\IBM\\ITM\\GSK7\\bin;%PATH%

C:\\IBM\\ITM\\InstallITM\\GetJavaHome.bat -> set the output of this command as the JAVA_HOME

example:

set JAVA_HOME=C:\\IBM\\ITM\\java\\java50\\jre

b) Delete and recreate certificates

on 32 bits servers where only gsk7capicmd utility is available:

set PATH=C:\\IBM\\ITM\\GSK7;C:\\IBM\\ITM\\GSK7\\lib;C:\\IBM\\ITM\\GSK7\\bin;%PATH%

gsk7capicmd.exe -cert -delete -db C:\\IBM\\ITM\\keyfiles\\keyfile.kdb -pw IBM61TIV -label "IBM_Tivoli_Monitoring_Certificate"

on 32 bits servers where gsk8capicmd utility is available:

set PATH=C:\\IBM\\ITM\\GSK8;C:\\IBM\\ITM\\GSK8\\lib;C:\\IBM\\ITM\\GSK8\\bin;%PATH%

gsk8capicmd.exe -cert -delete -db C:\\IBM\\ITM\\keyfiles\\keyfile.kdb -pw IBM61TIV -label "IBM_Tivoli_Monitoring_Certificate"

on 64 bits servers where only gsk7capicmd_64 is available:

set PATH=C:\\IBM\\ITM\\GSK7_x64;C:\\IBM\\ITM\\GSK7_x64\\lib64;C:\\IBM\\ITM\\GSK7_x64\\bin;%PATH%

gsk7capicmd_64.exe -cert -delete -db C:\\IBM\\ITM\\keyfiles\\keyfile.kdb -pw IBM61TIV -label "IBM_Tivoli_Monitoring_Certificate"

on 64 bits servers where gsk8capicmd_64 is available:

set PATH=C:\\IBM\\ITM\\GSK8_x64;C:\\IBM\\ITM\\GSK8_x64\\lib64;C:\\IBM\\ITM\\GSK8_x64\\bin;%PATH%

gsk8capicmd_64.exe -cert -delete -db C:\\IBM\\ITM\\keyfiles\\keyfile.kdb -pw IBM61TIV -label "IBM_Tivoli_Monitoring_Certificate"

c) create new certificate

on 32 bits servers where only gsk7capicmd utility is available:

set PATH=C:\\IBM\\ITM\\GSK7;C:\\IBM\\ITM\\GSK7\\lib;C:\\IBM\\ITM\\GSK7\\bin;%PATH%

gsk7capicmd.exe -cert -create -db C:\\IBM\\ITM\\keyfiles\\keyfile.kdb -pw IBM61TIV -size 4096 -dn "CN=IBM Tivoli Monitoring Self-Signed Certificate,O=IBM Tivoli,C=US" -label "IBM_Tivoli_Monitoring_Certificate" -default_cert yes -expire 3652 -sigalg sha1

on 32 bits servers where gsk8capicmd utility is available:

set PATH=C:\\IBM\\ITM\\GSK8;C:\\IBM\\ITM\\GSK8\\lib;C:\\IBM\\ITM\\GSK8\\bin;%PATH%

gsk8capicmd.exe -cert -create -db C:\\IBM\\ITM\\keyfiles\\keyfile.kdb -pw IBM61TIV -size 4096 -dn "CN=IBM Tivoli Monitoring Self-Signed Certificate,O=IBM Tivoli,C=US" -label "IBM_Tivoli_Monitoring_Certificate" -default_cert yes -expire 3652 -sigalg sha1

on 64 bits servers where gsk7capicmd_64 utility is available:

set PATH=C:\\IBM\\ITM\\GSK7_x64;C:\\IBM\\ITM\\GSK7_x64\\lib64;C:\\IBM\\ITM\\GSK7_x64\\bin;%PATH%

gsk7capicmd_64.exe -cert -create -db C:\\IBM\\ITM\\keyfiles\\keyfile.kdb -pw IBM61TIV -size 4096 -dn "CN=IBM Tivoli Monitoring Self-Signed Certificate,O=IBM Tivoli,C=US" -label "IBM_Tivoli_Monitoring_Certificate" -default_cert yes -expire 3652 -sigalg sha1

on 64 bits servers where gsk8capicmd_64 utility is available:

set PATH=C:\\IBM\\ITM\\GSK8_x64;C:\\IBM\\ITM\\GSK8_x64\\lib64;C:\\IBM\\ITM\\GSK8_x64\\bin;%PATH%

gsk8capicmd_64.exe -cert -create -db C:\\IBM\\ITM\\keyfiles\\keyfile.kdb -pw IBM61TIV -size 4096 -dn "CN=IBM Tivoli Monitoring Self-Signed Certificate,O=IBM Tivoli,C=US" -label "IBM_Tivoli_Monitoring_Certificate" -default_cert yes -expire 3652 -sigalg sha1

You can find more information at this link .