| Asset ID: |
1-79-1946120.1 |
| Update Date: | 2017-10-17 |
| Keywords: | |
Solution Type
Predictive Self-Healing Sure
Solution
1946120.1
:
CVE-2014-3566 Fix Availability Document for Oracle Communications Diameter Signaling Router (DSR) - 10899
| Related Items |
- BNS Platform Hardware
- Oracle Communications Diameter Signaling Router (DSR)
- Oracle Communications Diameter Intelligence Hub
|
| Related Categories |
- PLA-Support>Sun Systems>CommsGBU>Global Signaling Solutions>SN-SND: Tekelec DSR
|
In this Document
Applies to:
Oracle Communications Diameter Intelligence Hub
BNS Platform Hardware
Oracle Communications Diameter Signaling Router (DSR)
Tekelec
Purpose
This document provides details on the configuration changes necessary to mitigate the security vulnerability referenced by CVE-2014-3566.
Scope
Oracle Communications Diameter Signaling Router (DSR) Version 3.0 to 6.0.1. This does not apply to DSR 6.0.2 as this vulnerability has been addressed already in that release.
Details
DSR Application Servers
Instead of the below actions the DSR can be upgrade to release 6.0.2 to mitigate the vulnerailibty. A standard Diameter Signaling Router (DSR) deployment may include a combination of physical application servers, virtualized application servers, Tekelec Virtual Operating Environment (TVOE) host servers, and Platform Management & Configuration (PM&C) servers. DSR applications servers may include a combination of NOAM, SOAM, MP, IPFE and SDS servers. Additionally, DSR 6.0 deployments will have an iDIH server.
The following table lists the server types and which procedure(s) are applicable:
|
Server Type
|
SSL Server
|
Procedure
|
|
DSR-NOAM
DSR-SOAM
SDS-NO
SDS-SO
|
Apache (httpd)
|
Procedure A1 and
Procedure A2
|
|
PM&C
*if included in deployment
|
Apache (httpd)
|
Procedure A1
|
Notes:
- Procedure A1 should be performed on ALL servers (Active / Standby / Spare) as the specific configuration files will not be automatically replicated.
- On the NOAM and SOAM, the steps to modify the certificate configurations file will have to be performed on each individual certificate configuration file as well as the main ssl.conf file. These changes will also need to be performed on the individual certificate configuration files after existing certificates are updated or new ones are added. These files will have the naming format aw.ssl.hostname.conf, with hostname being the name of the server the certificate is for. If certificates have not been added, then these files will not exist and Procedure A2 may be skipped.
- In order to be able to perform these steps on the PM&C, custom Certificates must not have ever been added using the Administration->Access Control->Certificate Management feature on the PM&C.
- After performing these steps on the PM&C, custom certificates can also not be added using the Administration->Access Control->Certificate Management feature on the PM&C.
Procedure A1
|
Step #
|
Steps
|
|
1.
|
Log in as root on the server console
login: root
Password: <current root password>
|
|
2.
|
Check out configuration file /etc/httpd/conf.d/ssl.conf from revision control:
# rcstool co /etc/httpd/conf.d/ssl.conf
|
|
3.
|
Edit configuration file /etc/httpd/conf.d/ssl.conf using a text editor:
# vi /etc/httpd/conf.d/ssl.conf
Find and comment out the following line:
SSLProtocol all -SSLv2
To this:
#SSLProtocol all –SSLv2
Then find and edit the line that looks like:
SSLProtocol -ALL +SSLv3 +TLSv1
To this:
SSLProtocol -ALL +TLSv1
Save and exit the vi session.
|
|
4.
|
Restart the httpd service
service httpd restart
|
|
5.
|
Check that the server DOES NOT support SSLv3:
Note: The connection will fail if SSLv3 is disabled.
# openssl s_client -connect <IP Address>:443 -ssl3
If the connection succeeds, the output in the command window will be something like:
…
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: 11F0EC8DF848007A8B8F51351734EF4DFEE6934F685FF10206A3CA9737FBE8F4
…
…
If the connection fails, you should see in the command window something like:
26914:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1092:SSL alert number 40
26914:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:
|
|
6.
|
Check the file into rcs to preserve changes during upgrades
# rcstool ci /etc/httpd/conf.d/ssl.conf
|
Procedure A2
|
Step #
|
Steps
|
|
1.
|
Log in as root on the server console
login: root
Password: <current root password>
|
|
2.
|
Edit configuration file /etc/httpd/conf.d/aw.ssl.<hostname>.conf using a text editor
Note: The hostname in the file name will vary based on the host the certificate is for.
# vi /etc/httpd/conf.d/aw.ssl.<hostname>.conf
Find and edit the following line:
SSLProtocol all -SSLv2
To this:
#SSLProtocol all –SSLv2
Then find and edit the line that looks like:
SSLProtocol -ALL +SSLv3 +TLSv1
To this:
SSLProtocol -ALL +TLSv1
Save and exit the vi session.
|
|
3.
|
Check that the server DOES NOT support SSLv3:
Note: The connection will fail if SSLv3 is disabled.
# openssl s_client -connect <IP Address>:443 -ssl3
If the connection succeeds, the output in the command window will be something like:
…
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: 11F0EC8DF848007A8B8F51351734EF4DFEE6934F685FF10206A3CA9737FBE8F4
…
…
If the connection fails, you should see in the command window something like:
26914:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1092:SSL alert number 40
26914:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:
|
|
4.
|
Perform step 2 for all existing certificates by modifying all the /etc/httpd/conf.d/aw.ssl.<hostname>.conf files
|
|
5.
|
Restart the httpd service
service httpd restart
|
DIH
Your DSR configuration may also deploy with the Diameter Intelligence Hub (DIH). The DIH may include the application servers: NSP, IXP, PMF, Oracle.
The following table lists the server types and which procedure(s) are applicable:
|
Server Type
|
Legacy Name
|
SSL Server
|
Procedure
|
|
Management server (oracle server in case of 4 box cluster)
|
NSP onebox, NSP apache
|
Apache (httpd)
|
Procedure D1
|
|
Management server (primary and secondary servers in case of 4 box cluster)
|
NSP Primary, NSP secondary
|
Weblogic
|
Procedure D2
|
|
Storage server and Management server
|
NSP onebox, NSP oracle and DWS
|
Oracle Enterprise Management Console
|
Refer to Oracle database 10g or 11g accordingly
|
|
Management server
|
NSP
|
JMX Agent (mx4j)
|
Procedure D3
|
|
Storage server and Management server
|
IXP
|
JMX Agent (mx4j)
|
Procedure D4
|
|
Storage server and Management server
|
PMF
|
JMX Agent (mx4j)
|
Procedure D5
|
Procedure D1
|
Step #
|
Steps
|
|
1.
|
Log in as root on the server console
login: root
Password: <current root password>
|
|
2.
|
Check out configuration file /etc/httpd/conf.d/ssl.conf from revision control:
# rcstool co /etc/httpd/conf.d/ssl.conf
|
|
3.
|
Edit configuration file /etc/httpd/conf.d/ssl.conf using a text editor:
# vi /etc/http/conf.d/ssl.conf
Find and edit the following line:
SSLProtocol -ALL +SSLv3 +TLSv1
To this:
SSLProtocol -ALL +TLSv1
Save and exit the vi session.
|
|
4.
|
Restart the httpd service
service httpd restart
|
|
5.
|
Check the file into rcs to preserve changes during upgrades
# rcstool ci /etc/httpd/conf.d/ssl.conf
|
Procedure D2
|
Step #
|
Steps
|
|
1.
|
Log in as root on the server console
login: root
Password: <current root password>
|
|
2.
|
Edit setDomainEnv.sh configuration file
# vi /usr/TKLC/nsp/nsp-package/framework/server/dist/server/setDomainEnv.sh
Find and edit the following line:
-Dweblogic.security.SSL.protocolVersion=SSL3
To this:
-Dweblogic.security.SSL.protocolVersion=TLSv1
Save and exit the vi session.
|
|
3.
|
Restart nspservice service
NOTE: This step will forcefully close user sessions on Management server; warn end users for this service disruption and choose appropriate time for servicing.
# service nspservice restart
This step will take a few minutes to complete. Check the output if it is similar to expected result, exit if yes, return to step 2 otherwise.
Stopping NSP cluster
Stopping NodeManager
Starting Node Manager:
Starting NSP Administrator:
.......Starting NSP Cluster:
........................................................
# exit
|
Procedure D3
|
Step #
|
Steps
|
|
1.
|
Log in as root on the server console
login: root
Password: <current root password>
|
|
2.
|
Edit setDomainEnv.sh configuration file
# vi /opt/TKLCjmxagent/in/agent.properties
Find and edit the following line:
SslProtocol=SSLv3
To this:
SslProtocol=TLSv1
Save and exit the vi session.
|
|
3.
|
Restart JMX Agent
Note: This step affects alarm forwarding and server reconfiguration. Please plan doing this at an appropriate time where no system configuration is pending
# service jmxd restart
This step will need a few minutes to complete. Check the output if there is no error message (other than starting/stopping processes). If this happens return to step 2
|
Procedure D4
|
Step #
|
Steps
|
|
1.
|
Log in as root on the server console
login: root
Password: <current root password>
|
|
2.
|
Edit setDomainEnv.sh configuration file
# vi /opt/TKLCjmxagent/in/agent.properties
Find and edit the following line:
SslProtocol=SSLv3
To this:
SslProtocol=TLSv1
Save and exit the vi session.
|
|
3.
|
Restart JMX Agent
Note: This step affects alarm forwarding and server reconfiguration. Please plan doing this at an appropriate time where no system configuration is pending.
# su – cfguser
# pm.kill JmxAgent
This step will need a few minutes to complete. Check the output if there is no error message (other than starting/stopping processes). If this happens return to step 2
|
Procedure D5
|
Step #
|
Steps
|
|
1.
|
Log in as root on the server console
login: root
Password: <current root password>
|
|
2.
|
Edit setDomainEnv.sh configuration file
# vi /opt/TKLCjmxagent/in/agent.properties
Find and edit the following line:
SslProtocol=SSLv3
To this:
SslProtocol=TLSv1
Save and exit the vi session.
|
|
3.
|
Restart JMX Agent
Note: This step affects alarm forwarding and server reconfiguration. Please plan doing this at an appropriate time where no system configuration is pending.
# su – cfguser
# pm.kill jmxAgent
This step will need a few minutes to complete. Check the output if there is no error message (other than starting/stopping processes). If this happens return to step 2
|
Attachments
This solution has no attachment
