Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

lbcox

28 Posts

159913

March 13th, 2012 12:00

SSL Weak Ciphers - revisited

This is a very old issue for Dell OMSA. Why doesn't Dell install OMSA with a default of "128-bit or Higher) rather than having us take extra steps to lock it down? With security requirements being tighter due to more aggressive attacks, it would seem more appropriate to use the stronger cipher value by default.

It appears that after fixing all of my servers that were at version 5.9 or 6.1, that the setting reverted to "Auto-Negotiate" when I upgraded them to version 6.5. I'm not 100% sure, but that appears to be the trend from the ones I've looked at so far.

When Nessus Cyber Security scanning tool reports weak ciphers on port 1311 within the server when referencing Dell OMSA, it is likely that the webserver portion of the local client is not set to 128-bit or higher cipher. You can either go into each client (labor intensive) and make the change in the OMSA GUI, replace the keystore.ini file with one that includes the higher cipher, or the code needs to be added on the "cipher_suites" line shown below.

C:\Program Files\Dell\SysMgt\iws\config\keystore.ini file (or (X86) if you have a 64-bit OS)

Correct Code
================================================================
keystore_file = ./config/keystore.db
keystore_type = JKS
protocol = TLS
key_algorithm = SunX509
provider_classfile = com.sun.net.ssl.internal.ssl.Provider
authenticate_client = n
cipher_suites=SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
supported_key_signing_algorithms=MD5,SHA1,SHA256,SHA512
key_signing_algorithm=SHA1

The issue was brought up back in 2007. Here's the reference:

http://en.community.dell.com/support-forums/servers/f/177/t/18523153.aspx

DELL-Rob C

2.8K Posts

March 14th, 2012 08:00

Hi, I'm not too sure about this one.  You may check in the System Mgt forum to see if more folks can jump in.  Though with OME, you can do an omconfig/omremote command to help make it easier to change on a number of servers...something like this maybe.

omconfig  preferences webserver attribute=sslencryption setting=

Rob

sys mgt forum:

en.community.dell.com/.../4469.aspx

cgillehe

12 Posts

April 17th, 2012 08:00

Kind of on the same topic, but is it possible to script the recreation of the OMSA SSL cert on a number of servers?

I'm trying to use Keytool to create a new certificate, yet I can't edit the keystore.db file (it asks for a password that I haven't been able to find anywhere) as it is, and really really really don't want to resort to manually recreating a certificate on 50+ machines from the GUI.

It would be nice if we could fix this before we installed OMSA...

DELL-Abhijit P

Community Manager

 • 

711 Posts

April 17th, 2012 09:00

Hi,

Thanks for your post. You can get more responses if you post it on the system management forum at the link posted by Rob.

Is there a specific reason you are trying to recreate the certificates on all the servers? The Keystore password is computationally generated for security reasons and will not be found anywhere on the disk.

Regards

Abhijit

subzero2000

2 Posts

June 8th, 2012 11:00

In my case, yes. We have a wildcard SSL cert that we would like to use instead of having to submit separate CSRs for each server (and paying for each individual cert). Since certificates and keys are bound together, we would need the ability to import both the private key and public cert into the keystore, and without the password it is not possible to do this.

This is a reasonable request and it would be greatly appreciated if information on how to derive the keystore password could be divulged so we can replace the dell certificate in the keystore with one of our own choosing.

Thanks.

Lios

14 Posts

May 1st, 2014 09:00

Has anyone figured this out? I tool have the same issue.  I had a process of replacing the keystore before OMSA switched to using tomcat instead of IBM websphere.. and now I can't edit/work with the existing keystore because the password is hidden.  I realize I could probably replace the password with one of my choosing but this would be less secure and I would like to avoid it if possible.  I have 40+ servers I need to update the keystores for and doing each one manually doesn't seem the smartest way to do it. 

Dell-PPrabhu

58 Posts

May 1st, 2014 13:00

Lios - this is a question on OpenManage Server Administrator (OMSA) and not OpenManage Essentials. You'll have better luck at getting a good answer if you post this question in the general Systems Management forum located here:

http://en.community.dell.com/techcenter/systems-management/f/4469.aspx

 - PPrabhu

View More

View All

No Events found!

Top