allenmorris Absent Member.
Absent Member.
337 views

IDM 4.0.1 User App - weak ephemeral Diffie-Hellman public ke


Good morning all.

We are running IDM 4.0.1 and using the User App to allow password
changes from off site. We have setup password expiry notification to
our users.

A few months ago Firefox went to higher encryption standard, which did
not affect us all that much. Now that Chrome has also implemented these
higher requirements we are being called at least once a day with folks
getting the "weak ephemeral Diffie-Hellman public key" error.

I have done some research and I was able to fix the "weak key" when
accessing the server with iManager by making changes to the Tomcat
server.xml file. These changes do not seem to affect the User App. only
iManager. My guess the User App uses a different Tomcat setup some
where.

We are in the process of updating to SSPR and IDM 4.5, though these
updates are sure to take awhile to implement. In the interim though, I
wondering if there is a work around I can use with the User App?

Any suggestions would greatly be appreciated.

Thanks,

Allen


--
allenmorris
------------------------------------------------------------------------
allenmorris's Profile: https://forums.netiq.com/member.php?userid=1565
View this thread: https://forums.netiq.com/showthread.php?t=54263

Labels (1)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: IDM 4.0.1 User App - weak ephemeral Diffie-Hellman public ke

On 9/9/2015 10:14 AM, allenmorris wrote:
>
> Good morning all.
>
> We are running IDM 4.0.1 and using the User App to allow password
> changes from off site. We have setup password expiry notification to
> our users.
>
> A few months ago Firefox went to higher encryption standard, which did
> not affect us all that much. Now that Chrome has also implemented these
> higher requirements we are being called at least once a day with folks
> getting the "weak ephemeral Diffie-Hellman public key" error.
>
> I have done some research and I was able to fix the "weak key" when
> accessing the server with iManager by making changes to the Tomcat
> server.xml file. These changes do not seem to affect the User App. only
> iManager. My guess the User App uses a different Tomcat setup some
> where.
>
> We are in the process of updating to SSPR and IDM 4.5, though these
> updates are sure to take awhile to implement. In the interim though, I
> wondering if there is a work around I can use with the User App?


The User App 4.0.x runs in one of three Web Application servers:
JBoss
WebLogic
WebSphere

In 4.5 I think they dropped WebLogic and added Tomcat.

So yes, you found the server.xml for tomcat, which is imanagers's
tomcat. You need most likely JBoss.

/opt/novell/idm/jboss/server/IDMProv/deploy/jbossweb.sar/server.xml (U
mean, duh, like of course?) is probably something like the path you
need, then just add an entry like:


<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/some.keystore"
keystorePass="somepassword" keyAlias="someAlias"
sslProtocols="TLSv1,TLSV1.1,TLSV1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"/>


0 Likes
allenmorris Absent Member.
Absent Member.

Re: IDM 4.0.1 User App - weak ephemeral Diffie-Hellman public ke


geoff,

Thanks for the reply.

Will that fixed the "weak cipher" problem, I think. Now I'm getting a
'can't establish connection to server".

I've included the connector code. Does it look okay? I should note we
are using port 8543 for the password portal.

<!-- Original Connector conf commented out to make changes to cipher
- FAM 9/9/15 -->
<!-- <Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="/opt/novell/idm/jre/bin/wildcard.keystore"
keystorePass="changeit" sslProtocol = "TLS" /> -->

<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443/8543" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="/opt/novell/idm/jre/bin/deleted.keystore"
keystorePass="deleted" sslProtocols="TLSv1,TLSV1.1,TLSV1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS
_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH
_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC _SHA/>

Thanks for the help.

Oh, I tried to stop/start jboss through the CLI (./shutdown.sh -S and
../run.sh) and it is saying it can not find java. Am I typing something
incorrectly?

Thanks,

Allen


--
allenmorris
------------------------------------------------------------------------
allenmorris's Profile: https://forums.netiq.com/member.php?userid=1565
View this thread: https://forums.netiq.com/showthread.php?t=54263

0 Likes
allenmorris Absent Member.
Absent Member.

Re: IDM 4.0.1 User App - weak ephemeral Diffie-Hellman public ke


geoff,

Found the jBoss start and stop scrip in /var/opt/idm.

They look to be working fine.

Thanks,

Allen


--
allenmorris
------------------------------------------------------------------------
allenmorris's Profile: https://forums.netiq.com/member.php?userid=1565
View this thread: https://forums.netiq.com/showthread.php?t=54263

0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM 4.0.1 User App - weak ephemeral Diffie-Hellman public ke

On 9/9/2015 12:04 PM, allenmorris wrote:
>
> geoff,
>
> Thanks for the reply.
>
> Will that fixed the "weak cipher" problem, I think. Now I'm getting a
> 'can't establish connection to server".
>
> I've included the connector code. Does it look okay? I should note we
> are using port 8543 for the password portal.
>
> <!-- Original Connector conf commented out to make changes to cipher
> - FAM 9/9/15 -->
> <!-- <Connector protocol="HTTP/1.1" SSLEnabled="true"
> port="8443" address="${jboss.bind.address}"
> scheme="https" secure="true" clientAuth="false"
> keystoreFile="/opt/novell/idm/jre/bin/wildcard.keystore"
> keystorePass="changeit" sslProtocol = "TLS" /> -->
>
> <Connector protocol="HTTP/1.1" SSLEnabled="true"
> port="8443/8543" address="${jboss.bind.address}"


I do not think the syntax 8443/8543 will work. But I just do not know.
Obviously I intended you to customize to your environment. I grabbed the
key partsm the sslProtocl and ciphers bits are the way to go.

So I would edit your original and add in:
sslProtocols="TLSv1,TLSV1.1,TLSV1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS
_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH>
_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC _SHA


Ok, I copied that from the quoted text so do not use that literally,
copy it properly, I think more like this:


sslProtocols="TLSv1,TLSV1.1,TLSV1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS
_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH
_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC _SHA


> scheme="https" secure="true" clientAuth="false"
> keystoreFile="/opt/novell/idm/jre/bin/deleted.keystore"
> keystorePass="deleted" sslProtocols="TLSv1,TLSV1.1,TLSV1.2"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS
> _ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH
> _AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC _SHA/>
>
> Thanks for the help.
>
> Oh, I tried to stop/start jboss through the CLI (./shutdown.sh -S and
> ./run.sh) and it is saying it can not find java. Am I typing something
> incorrectly?


Try /etc/init.d/jboss_init stop
then: /etc/init.d/jboss_init start

0 Likes
allenmorris Absent Member.
Absent Member.

Re: IDM 4.0.1 User App - weak ephemeral Diffie-Hellman public ke


geoff,

Thanks again for your words of wisdom.

Here is a copy of the connector definition that worked.

<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8543" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="/opt/novell/idm/jre/bin/mycert.keystore"
keystorePass="mypassword"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />

Allen


--
allenmorris
------------------------------------------------------------------------
allenmorris's Profile: https://forums.netiq.com/member.php?userid=1565
View this thread: https://forums.netiq.com/showthread.php?t=54263

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.