MCU 2.5.1 uses Jetty as its backend HTTP web server. Jetty relies on JAVA for its security protocols such as TLS and its
Oracle Java JRE 1.6.0_111 added support for TLSv1.1 and Oracle Java JRE 1.6.0._121 added support for TLSv1.2 (Because of a bug found in OpenJDK 1.6.0.34 and higher that affects MCU 2.5.1 OpenJDK will not be able to be used)
RESOLUTION 1:
Upgrade to MCU 2.5.2 available on the Support Portal.
WORKAROUND 1:
NOTE: The ability to download Oracle JRE 1.6.0.121. Oracles JRE 1.6.0.121+ is downloaded, but requires an active oracle support agreement in order to do so
Java 1.8 will not work with MCU 2.5.1 version.
Oracle Java JRE 1.6.0_111 added support for TLSv1.1 and Oracle Java JRE 1.6.0._121 added support for TLSv1.2 (Because of a bug found in OpenJDK 1.6.0.34 and higher that affects MCU 2.5.1 OpenJDK will not be able to be used)
Install the latest Oracle JRE 6
Stop the MCU service
Configure MCU to use the newer JRE 6
LINUX:
Update the JRE path contained in the file /opt/quest/mcu/.install4j/inst_jre.cfg to point to the location of the Oracle Java JRE 1.6.0.121 or higher.
EXAMPLE:
Change /usr/local/java/jre1.6.0_45 to /usr/local/java/jre1.6.0_161
WINDOWS:
WINDOWS:
Step 1 – Rename the
C:\Program Files (x86)\Quest Software\Management Console for Unix\jre
Step 2 – Define the EXE4J_JAVA_HOME variable in
Update jetty.xml to disable protocols that are not wanted like TLSv1, SSLv3, etc… by only enabling the protocols that are wanted.
You can enable protocols by setting the IncludeProtocols under the
This file can be found at:
WINDOWS:
C:\Program Files (x86)\Quest Software\Management Console for Unix\etc\jetty.xml
LINUX:
/opt/quest/mcu# vi etc/jetty.xml
EXAMPLE:
When using the IncludeProtocols set only protocols in the IncludeProcotols list will be considered by Jetty.
Validate that the new JRE is being used and that the desired Protocols are in use by running MCU from a command line.
WINDOWS:
Open cmd.exe and run
$ C:\Program Files (x86)\Quest Software\Management Console for Unix\run_server.exe
LINUX:
As root or with root privileges
Open terminal and run
$ /opt/quest/mcu/run_server.sh
When MCU server has finished loading look for a line similar to:
This describes that Protocols TSLv1.1 and TLSv1.2 have been enabled out of SSLv2Hello, SSLv3, TLSv1, TSLv1.1, TLSv1.2 which are supported.
A newer license file will be needed in order for MCU to work with the updated JRE, to get a new license please contact support.
When attempting to access MCU with an updated JRE 6,
The MCU logs will display the message com.dstc.security.util.licensing.InvalidLicense: Error verifying license: Invalid encoding for signature.
In order to fix
You can download a newer jetty.xml with only TLSv1.1 & TLSv1.2 protocol enabled, with a list of recommended strong
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité