Security auditing is flagging a weak SSL cipher being used on port 9443/tcp.
You may need to enable the more secure ciphers and disable the insecure ones on the Management Console for Unix Server.
WORKAROUND 1:
On Windows 2008 or 2012 servers.
1 - Stop the Quest Management Console for Unix
2 - Backup the Jetty.xml file in C:\Program Files (x86)\Quest Software\Management Console for Unix\etc and rename it to jetty.original
3 - Then replace C:\Program Files (x86)\Quest Software\Management Console for Unix\etc\jetty.xml with the attached file. Please note the attachment is at the bottom of this KB.
4 - Restart the service
WORKAROUND 2:
You can provide your own SSL certificate. Please refer the the following KB article about this: How to configure SSL for use with Jetty? How to setup certificate in MCU? (86932)
There is also some information in the Management Console for Unix Admin guide in the Security Chapter under Installing a Product Certificate section.
WORKAROUND 3:
1 - On the MCU server, edit the c:\program files or program files (x86)\Management Console for Unix\etc\jetty.xml file to exclude the weak ciphers you do not want used.
This can be done by following the documentation provided by jetty: http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites
SSL Cipher Suites
The cipher suites used by Jetty SSL are provided by the JVM: http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider.
The ciphers are used in preference order. If a vulnerability is discovered in a cipher (or if it is considered too weak to use), it is possible to exclude it without the need to update the JVM in jetty.xml:
8443
30000
/etc/keystore
OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
OBF:1u2u1wml1z7s1z7a1wnl1u2g
/etc/keystore
OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center