Best Practices for implementing Security using Micro Focus CORBA Products

Best Practices for implementing Security using Micro Focus CORBA Products

Security Recommendations

Micro Focus recommends avoiding the use of all known SSL security protocols that have been compromised. Micro Focus recommends the use of only the latest TLS security protocols if at all possible.

For all product installations Micro Focus recommends the use of the latest product patches. These contain the latest collection of security related updates.

To avoid the high profile POODLE and DROWN attacks customers must disable SSLv2 and SSLv3. This is good practice anyway.

Artix

Artix C++ 5.6.x:

The HTTPS transport will accept the SSLv2 and SSLv3 protocols and is therefore be vulnerable in its default configuration.

The policies:https:mechanism_policy:protocol_version configuration variable must be changed to disable the SSLv2 protocol.

We recommend that the following variables are added to the configuration and set as follows:

policies:iiop_tls:mechanism_policy:protocol_version = ["TLS_V1_2"];

policies:https:mechanism_policy:protocol_version = ["TLS_V1_2"];

Artix Java 5.6.x:

Not vulnerable, SSLv2 and SSLv3 disabled by default.

Orbix

Orbix 3.3.x:

Not vulnerable, SSLv2 and SSLv3 disabled by default.

Orbix Mainframe 6.3:

Not vulnerable, SSLv2 and SSLv3 disabled by default.

Orbix 6.3:

Action is required.

While the default IIOP TLS configuration is not vulnerable to DROWN, the HTTPS transport will accept the SSLv2 and SSLv3 protocols and is therefore vulnerable in its default configuration.

In particular, the security service might be vulnerable to DROWN, depending on the Java runtime in use, as it will accept both IIOP TLS and HTTPS connections. The Orbix/WS component might be vulnerable, when it is configured to use the HTTPS transport.

The policies:https:mechanism_policy:protocol_version configuration variable must be changed to disable the SSLv2 and SSLv3 protocols.

We recommend that the following variables are added to the configuration and set as follows:

policies:iiop_tls:mechanism_policy:protocol_version = ["TLS_V1_2"];

policies:https:mechanism_policy:protocol_version = ["TLS_V1_2"];

Orbacus

Orbacus is a source-available product. SSL/TLS security is enabled within Orbacus when customers themselves build and deploy the FreeSSL component. The FreeSSL component is a wrapper around OpenSSL in C++ and will therefore be susceptible to all OpenSSL vulnerabilities for the version that is being used.

Customers need to supply their own FreeSSL SSL/TLS toolkit. Customers should review the SSL/TLS security toolkit that they have deployed with their applications when using Orbacus.

VisiBroker

In order to disable SSLv2 and SSLv3, VisiBroker for C++ 8.5 SP1, SP2 and SP3 can be configured as follows:

The vbroker.security.client.socket.enabledProtocols and vbroker.security.server.socket.enabledProtocols properties may be used to control the protocol levels available for the handshake negotiation at either end of the connection.  In order to preclude the possibility of SSLv3 (or lower) being negotiated, use one of these values:

  • TLS_Version_1_0_With_2_0_Hello
  • TLS_Version_1_0_Only

Please note that the default value for both vbroker.security.client.socket.enabledProtocols and vbroker.security.server.socket.enabledProtocols is "SSL_Version_Undetermined".  This is not safe even if both client and server support TLS, for example if they are both VisiBroker 8.5, and neither end is configured to disable TLS. To be fully protected both SSLv2 and SSLv3 must be actively switched off.

With VisiBroker for C++ 8.5 SP2 plus HF1 or later, and SP3 the list of options for the OpenSSL security provider have been extended as follows.

The vbroker.security.client.socket.enabledProtocols and vbroker.security.server.socket.enabledProtocols properties may be used to control the protocol levels available for the handshake negotiation at either end of the connection.  In order to preclude the possibility of SSLv3 (or lower) being negotiated, use one of these values:

  • TLS_Version_1_0_With_2_0_Hello
  • TLS_Version_1_0_Only
  • TLS_Version_1_1_With_2_0_Hello
  • TLS_Version_1_1_Only
  • TLS_Version_1_2_With_2_0_Hello
  • TLS_Version_1_2_Only

Please note that the default value for both vbroker.security.client.socket.enabledProtocols and vbroker.security.server.socket.enabledProtocols is "SSL_Version_Undetermined".  This is not safe even if both client and server support TLS, for example if they are both VisiBroker 8.5, and neither end is configured to disable TLS. To be fully protected both SSLv2 and SSLv3 must be actively switched off.

For the VisiBroker 8.5 SP2 Certicom provider the recommended property values for disabling SSLv3 are as per VisiBroker 8.5 SP1.

For more information regarding these specific property values, please refer to the VisiBroker Security Guide appropriate to your version.

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Version history
Revision #:
1 of 1
Last update:
‎2016-03-09 17:06
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.