NetWorker Vulnerability report: SSL Certificate Cannot Be Trusted and SSL Self-Signed Certificate

Running a vulnerability scanner on NetWorker could show the following messages:

• SSL Certificate Cannot Be Trusted
• SSL Self-Signed Certificate

On the following services (default ports):

• GST (9001)
• NetWorker Management Console (NMC) Apache HTTP web (9000)
• Postgres (5432)
• RabbitMQ (5672)
• Auth service (9090)
• NetWorker Web User Interface (NWUI) (9095)

NetWorker installation creates self-signed certificates server.key and server.crt which are needed by the above mentioned different services to run.
Because these are self-singed and not CA-signed certificates, vulnerability scanner tools report this as a vulnerability.

For NetWorker Authentication Service (AUTHC) (9090) and the NetWorker Web User Interface (NWUI) (9095)

• NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "AUTHC" and "NWUI" (Linux)
• NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "AUTHC" and "NWUI" (Windows)

For Postgres (5432), RabbitMQ (5671)

• To fix thix issue, you have to create a CA signed certificate in PEM format for this particular NetWorker server, and then edit the corresponding configuration file to reflect the path where this CA signed is placed.
  There are specific KB articles explaining this in detail.
• Postgres: Follow steps on KB NMC: SSL Certificate Signed Using Weak Hashing Algorithm to edit postgres.conf file.
• RabbitMQ: Check article NetWorker: How to disable port 5672 for DSA-2018-120, to avoid scan software still showing the vulnerability. It contains instructions to harden rabbitmq.config. The rabbitmq.config is where you can set the path to the CA-signed certificate files.

For The NetWorker Management Console (NMC) Server's GST port (9001) and Apache HTTPD Web port (9000):

• See: NetWorker: How to Import or Replace Certificate Authority Signed Certificates for NMC

NetWorker Processes and Ports