Highlighted
Super Contributor.. Super Contributor..
Super Contributor..
280 views

Change SHA algorithm in UD agent

Jump to solution

Hi:

We want to know which type of SHA algorithm is used by our UD agents and if it's use SHA1 change to SHA256 o better.

How can we perform this?

We perfomed a "nmap --script ssl* -p 2738 <IP_UD_AGENT> against an UD agent and returns this:

PORT STATE SERVICE VERSION
2738/tcp open ssl/ndl-tcp-ois-gw?
|_ssl-date: TLS randomness does not represent time
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Weak certificate signature: SHA1
|_ least strength: A
|_sslv2-drown:


Any command or info to perform this?


Thanks.

1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Change SHA algorithm in UD agent

Jump to solution
Where the UDAs installed a long time ago?
How old are the UDA credentials? When they were generated?

If the UDA credentials are old then they might still be on SHA-1. We inttroduced SHA-2 a long time ago.
The UD agents rely on OpenSSL for cryptography – they do not have any proprietary crypto implementation.

Quoting an architect:
"When configuring OpenSSL, the agents explicitly disable any earlier protocols than TLS 1.2. You should be able to validate this by running a tool like nmap. As for the hash used in the certificate, it depends on what kind of agent credential is used:
• Agent credentials derived from very old DDMI certificates/keys might still have MD5
• Newer DDMI certificates/older UD agent credentials would have SHA1 hash used
• Newer UD agent credentials use SHA-2 hash (SHA512)

To see what hash is used on your certificates, export public certificates from the UDA credential – you should get the file acstrust.cert. Rename or copy this file to have a .crt extension, e.g. acstrust.crt, then right click it in Windows Explorer and select Open and then on the Details tab you should see the hash used"

Hope this helps.
Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success

View solution in original post

9 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Change SHA algorithm in UD agent

Jump to solution
What's the version of your UDA?
Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success
0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: Change SHA algorithm in UD agent

Jump to solution

UDA version is 11.60.000.584

UCMDB version is 2019.02 with CP 2019.11.102 and DK 2019.12

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Change SHA algorithm in UD agent

Jump to solution
Where the UDAs installed a long time ago?
How old are the UDA credentials? When they were generated?

If the UDA credentials are old then they might still be on SHA-1. We inttroduced SHA-2 a long time ago.
The UD agents rely on OpenSSL for cryptography – they do not have any proprietary crypto implementation.

Quoting an architect:
"When configuring OpenSSL, the agents explicitly disable any earlier protocols than TLS 1.2. You should be able to validate this by running a tool like nmap. As for the hash used in the certificate, it depends on what kind of agent credential is used:
• Agent credentials derived from very old DDMI certificates/keys might still have MD5
• Newer DDMI certificates/older UD agent credentials would have SHA1 hash used
• Newer UD agent credentials use SHA-2 hash (SHA512)

To see what hash is used on your certificates, export public certificates from the UDA credential – you should get the file acstrust.cert. Rename or copy this file to have a .crt extension, e.g. acstrust.crt, then right click it in Windows Explorer and select Open and then on the Details tab you should see the hash used"

Hope this helps.
Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success

View solution in original post

Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Change SHA algorithm in UD agent

Jump to solution

I believe the quoted architect is mixing hashing in TLS/SSL and hashing of the certificate. NMap is checking the TLS ciphers and is saying that no matter what is the certificate in UD Agent, the communication may be using SHA with AES128, which is considered somehow weak cipher. This means that since the SHA1 hash has fewer bits, an interceptor can inject a packet with different content but matching the same hash value and break the communication stream. 

So it is still a valid question. The Cipher algorithms are dependant on the configuration with which the UD Agent is compiled by default. In order to exclude this cipher from there, a new UD agent version should be delivered, but all the cipher changes may lead to incompatibility with older versions of DataFlowProbes. 

Another question is if  @chuchi has secured everything else from Hardening Guide to consider the UD hashes as an issue.

Likes are appreciated!
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Change SHA algorithm in UD agent

Jump to solution
The weak ciphers were excluded 2-3 years ago. In the last 2 years we had a lot of them exluded directly on the code on a lot of the flows including the UDA flow.

I remember when we implemented the option to connect over SSL to a MSSQL DB, the code was filled with rules and exceptions on wrapper, on the JDBC driver, on DAL, etc. UDA was under the same security scrutiny.
Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Change SHA algorithm in UD agent

Jump to solution

haha, and two years later @chuchi considers TLS_RSA_WITH_AES_128_CBC_SHA weak as well 🙂 

Likes are appreciated!
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Change SHA algorithm in UD agent

Jump to solution
We had in 10.30 and 10.33 a lot of security related changes especially that with 10.32 we no longer support DDMi so that would be the biggest reason for the UDA hardening.
In 2019.02 or .05 we've redone the FIPS certifications so such old security standards were out of the question, they weren't allowed anywhere.
Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success
0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: Change SHA algorithm in UD agent

Jump to solution

Great explanation John

Our UDA credentials is derived from DDMI migration, so following the steps you mentioned (rename the file and opens in Windows-details tabs) it result as MD5.

For testing purposes, we generated a new UD Credentials and it results SHA512.


The next days we will try to change the credentials of every UD agent with a new one (SHA512).

 

Thanks you very much

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Change SHA algorithm in UD agent

Jump to solution

Good to know. We suspected that this may be the root cause.

Most likely you will have to redeploy your UDAs or change the certificates on the UDA side. It will be tricky as UdUniqueID is involved and you need to test it so you won't end up with duplicate nodes.

 

 

Kind regards,
Bogdan Mureșan
EMEA CMS Technical Success
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.