Highlighted
hudson8
Silver

OMI for VMware fails Nexpose security scans

We are running OMI v4.1 but our institution is going to force us to shut it because it has so many SSL security vulnerabilities on Nexpose scans (critical and severe).

1.  Are there any clear whitepapers on installing SSL certificates obtained from Certificate Authorities.

2. How can we limit the ciphers to those accepted by Nexpose and other scanning software.

3. Can we firewall the ports so they are not globally accessible.

4.  We need to turn off port 80 (or at least limit it to a few internal segments).  Nexpose highlights this as a critical vulnerability.

Thank you.

Hudson

0 Kudos
11 Replies
hudson8
Silver

RE: OMI for VMware fails Nexpose security scans

In addition, the upload of an SSL certificate obtained from a Certificate Authorities does not work correctly.

We created a pem file with the server certificate based on the certificate request generated by OpenManage Integration for VMware vCenter (OMI).  Appended the intermediate and root certificates in the correct order.

OMI accepted the upload, showed the server certificate in the administrative console, but does not include the intermediate and root certificates when the OMI portal is accessed.

We tested this using OpenSSL.  OpenSSL only sees the server certificate (not the intermediates and root), and fails the site with an error 21-- "unable to verify the first certificate".

Nexpose security scans (which use OpenSSL) classify the Dell OMI portal as a severe security vulnerability because of this bug in handling the intermediate and root certificates.

Has anyone successfully uploaded a complete certificate file to Dell OMI and used OpenSSL to confirm that it is working correctly?

Hudson

0 Kudos

RE: OMI for VMware fails Nexpose security scans

During upload of certificate in administrative council did you get any errors. Anyway i will check on for more information on "OpenSSL only sees the server certificate (not the intermediates and root), and fails the site with an error 21-- "unable to verify the first certificate." and get back to you.

0 Kudos
hudson8
Silver

RE: OMI for VMware fails Nexpose security scans

Thank you for taking an interest in this.

No, during upload of the certificate there were no errors displayed.

I experimented with the upload.  As long as the primary certificate (the one specific to the certificate request) is the correct certificate (not for a different server) and as long as it appears at the top of the .pem file, OMI for VMware accepts the .pem file

It accepts the .pem file if there is only the primary certificate in it, and also accepts the .pem file if it contains the primary certificate and the intermediates and root.

This leads me to think that (as is done for other servers) the file containing the intermediate and root certificates needs to be placed on the OMI server separately from the primary certificate.

Hudson

0 Kudos

RE: OMI for VMware fails Nexpose security scans

Please follow the process contained in the attached file to generate the certificate

0 Kudos

RE: OMI for VMware fails Nexpose security scans

Please follow the process contained in the attached file to append certificate and apply.

0 Kudos
hudson8
Silver

RE: OMI for VMware fails Nexpose security scans

That is the process we followed.

As I mentioned, the primary certificate is a match for the CSR generated on the OMI appliance.

OMI recognizes and accepts the certificate created by the Certificate Authority.

What is the webserver that OMI is using.  One of the Apaches?

If you can tell us which Apache webserver and what version, we could check the Apache documentation.

0 Kudos

RE: OMI for VMware fails Nexpose security scans

Server version: Apache Tomcat/7.0.35

0 Kudos
hudson8
Silver

RE: OMI for VMware fails Nexpose security scans

I will check on this.

Thank you.

0 Kudos
hudson8
Silver

RE: OMI for VMware fails Nexpose security scans

Documentation for Apache Tomcat v7.0

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

Look half way down the page at "Installing a Certificate from a Certificate Authority".

The Chain Certificate (what I was calling the intermediate and root certificates) is imported into the keystore separately.  This allows you to have several certificates for different IP addresses in the same Tomcat WebServer, all referring to the same Chain Certificate.

The process Dell is providing for uploading the Certificate from the Certificate Authority does not include importing the Chain Certificate.  That is why the certificate is not complete and does not pass OpenSSL testing. (And fails Nexpose Security Risk testing).

0 Kudos