Fortify SSC vulnerability
Any help appreciated trying to solve this problem...
Running Fortify SSC and runtime 4.21.
An trustwave vulnerability scan detected a vulnerability on port 10234 of the server that our SSC is installed upon because a certificate is returned from that port that is signed with a sha1 algorithm and "CN = Fortify Runtime Controller 360 Server Controller" as the subject.
Our "web portal" for the SSC is accessible over port 8443 and is secured with a self signed SHA256 certificate with the subject of CN=UNKNOWN.
When we direct port 10234 with a connector in the server.xml file to use the defined keystore the browser will show the correct, stronger certificate however the clients will not connect. Adding the certificate to the client's respective keystore or cacerts keystore they still will not attach to the server.
We need to determine how we secure port 10234 with a stronger certificate. Where is that configured? Do I need to add something to the rt_config.xml file on the client servers to specify the keystore, alias, or certificate?
This server is running tomcat 7 on Win 2012 R2 server.