Systems Management Forums

SSL Weak Ciphers - revisited

Systems Management

Systems Management
Dell Systems Management Solutions: Dell OpenManage, iDRAC, Repository Manager, Microsoft SCCM, Chassis Managment Controller, and more

SSL Weak Ciphers - revisited

  • This is a very old issue for Dell OMSA. Why doesn't Dell install OMSA with a default of "128-bit or Higher) rather than having us take extra steps to lock it down? With security requirements being tighter due to more aggressive attacks, it would seem more appropriate to use the stronger cipher value by default.

    It appears that after fixing all of my servers that were at version 5.9 or 6.1, that the setting reverted to "Auto-Negotiate" when I upgraded them to version 6.5. I'm not 100% sure, but that appears to be the trend from the ones I've looked at so far.

    When Nessus Cyber Security scanning tool reports weak ciphers on port 1311 within the server when referencing Dell OMSA, it is likely that the webserver portion of the local client is not set to 128-bit or higher cipher. You can either go into each client (labor intensive) and make the change in the OMSA GUI, replace the keystore.ini file with one that includes the higher cipher, or the code needs to be added on the "cipher_suites" line shown below.

    C:\Program Files\Dell\SysMgt\iws\config\keystore.ini file (or (X86) if you have a 64-bit OS)

    Correct Code
    ================================================================
    keystore_file = ./config/keystore.db
    keystore_type = JKS
    protocol = TLS
    key_algorithm = SunX509
    provider_classfile = com.sun.net.ssl.internal.ssl.Provider
    authenticate_client = n
    cipher_suites=SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    supported_key_signing_algorithms=MD5,SHA1,SHA256,SHA512
    key_signing_algorithm=SHA1

    The issue was brought up back in 2007. Here's the reference:

    http://en.community.dell.com/support-forums/servers/f/177/t/18523153.aspx

  • Hi, I'm not too sure about this one.  You may check in the System Mgt forum to see if more folks can jump in.  Though with OME, you can do an omconfig/omremote command to help make it easier to change on a number of servers...something like this maybe.

    omconfig  preferences webserver attribute=sslencryption setting=<autonegotiate|128bitorhigher>

    Rob

    sys mgt forum:

    en.community.dell.com/.../4469.aspx

  • Kind of on the same topic, but is it possible to script the recreation of the OMSA SSL cert on a number of servers?

    I'm trying to use Keytool to create a new certificate, yet I can't edit the keystore.db file (it asks for a password that I haven't been able to find anywhere) as it is, and really really really don't want to resort to manually recreating a certificate on 50+ machines from the GUI.

    It would be nice if we could fix this before we installed OMSA...

  • Hi,

    Thanks for your post. You can get more responses if you post it on the system management forum at the link posted by Rob.

    Is there a specific reason you are trying to recreate the certificates on all the servers? The Keystore password is computationally generated for security reasons and will not be found anywhere on the disk.

    Regards

    Abhijit

  • In my case, yes. We have a wildcard SSL cert that we would like to use instead of having to submit separate CSRs for each server (and paying for each individual cert). Since certificates and keys are bound together, we would need the ability to import both the private key and public cert into the keystore, and without the password it is not possible to do this.

    This is a reasonable request and it would be greatly appreciated if information on how to derive the keystore password could be divulged so we can replace the dell certificate in the keystore with one of our own choosing.

    Thanks.