Absent Member.
Absent Member.

Fortify SSC vulnerability

Any help appreciated trying to solve this problem...

Running Fortify SSC and runtime 4.21.

An trustwave vulnerability scan detected a vulnerability on port 10234 of the server that our SSC is installed upon because a certificate is returned from that port that is signed with a sha1 algorithm and "CN = Fortify Runtime Controller 360 Server Controller" as the subject.

Our "web portal" for the SSC is accessible over port 8443 and is secured with a self signed SHA256 certificate with the subject of CN=UNKNOWN.

When we direct port 10234 with a connector in the server.xml file to use the defined keystore the browser will show the correct, stronger certificate however the clients will not connect. Adding the certificate to the client's respective keystore or cacerts keystore they still will not attach to the server.

We need to determine how we secure port 10234 with a stronger certificate. Where is that configured? Do I need to add something to the rt_config.xml file on the client servers to specify the keystore, alias, or certificate?

This server is running tomcat 7 on Win 2012 R2 server.

Labels (1)
1 Reply
Absent Member.
Absent Member.

We were notified by Fortify support that there is no solution to this problem.

They have indicated that an enhancement request has been submitted on our behalf.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.