OMI for VMware fails Nexpose security scans - OpenManage Integration for VMware vCenter - Systems Management - Dell Community
Systems Management Forums

OMI for VMware fails Nexpose security scans

Systems Management

Systems Management
Dell Systems Management Solutions: Dell OpenManage, iDRAC, Repository Manager, Microsoft SCCM, Chassis Managment Controller, and more

OMI for VMware fails Nexpose security scans

This question is not answered

We are running OMI v4.1 but our institution is going to force us to shut it because it has so many SSL security vulnerabilities on Nexpose scans (critical and severe).

1.  Are there any clear whitepapers on installing SSL certificates obtained from Certificate Authorities.

2. How can we limit the ciphers to those accepted by Nexpose and other scanning software.

3. Can we firewall the ports so they are not globally accessible.

4.  We need to turn off port 80 (or at least limit it to a few internal segments).  Nexpose highlights this as a critical vulnerability.

Thank you.

Hudson

All Replies
  • In addition, the upload of an SSL certificate obtained from a Certificate Authorities does not work correctly.

    We created a pem file with the server certificate based on the certificate request generated by OpenManage Integration for VMware vCenter (OMI).  Appended the intermediate and root certificates in the correct order.

    OMI accepted the upload, showed the server certificate in the administrative console, but does not include the intermediate and root certificates when the OMI portal is accessed.

    We tested this using OpenSSL.  OpenSSL only sees the server certificate (not the intermediates and root), and fails the site with an error 21-- "unable to verify the first certificate".

    Nexpose security scans (which use OpenSSL) classify the Dell OMI portal as a severe security vulnerability because of this bug in handling the intermediate and root certificates.

    Has anyone successfully uploaded a complete certificate file to Dell OMI and used OpenSSL to confirm that it is working correctly?

    Hudson

  • During upload of certificate in administrative council did you get any errors. Anyway i will check on for more information on "OpenSSL only sees the server certificate (not the intermediates and root), and fails the site with an error 21-- "unable to verify the first certificate." and get back to you.

  • Thank you for taking an interest in this.

    No, during upload of the certificate there were no errors displayed.

    I experimented with the upload.  As long as the primary certificate (the one specific to the certificate request) is the correct certificate (not for a different server) and as long as it appears at the top of the .pem file, OMI for VMware accepts the .pem file

    It accepts the .pem file if there is only the primary certificate in it, and also accepts the .pem file if it contains the primary certificate and the intermediates and root.

    This leads me to think that (as is done for other servers) the file containing the intermediate and root certificates needs to be placed on the OMI server separately from the primary certificate.

    Hudson

  • GenerateCert.pdf

    Please follow the process contained in the attached file to generate the certificate

  • AppendingCert.pdf

    Please follow the process contained in the attached file to append certificate and apply.

  • That is the process we followed.

    As I mentioned, the primary certificate is a match for the CSR generated on the OMI appliance.

    OMI recognizes and accepts the certificate created by the Certificate Authority.

    What is the webserver that OMI is using.  One of the Apaches?

    If you can tell us which Apache webserver and what version, we could check the Apache documentation.

  • Server version: Apache Tomcat/7.0.35

  • I will check on this.

    Thank you.

  • Documentation for Apache Tomcat v7.0

    http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

    Look half way down the page at "Installing a Certificate from a Certificate Authority".

    The Chain Certificate (what I was calling the intermediate and root certificates) is imported into the keystore separately.  This allows you to have several certificates for different IP addresses in the same Tomcat WebServer, all referring to the same Chain Certificate.

    The process Dell is providing for uploading the Certificate from the Certificate Authority does not include importing the Chain Certificate.  That is why the certificate is not complete and does not pass OpenSSL testing. (And fails Nexpose Security Risk testing).

  • If you can tell me how to putty into Dell OMI VV, I can install the Chain Certificate into the keystore and get this to work.

    Thank you.

    Hudson

  • Please contact tech support team in order to putty to the OMIVV.