Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-79-2010932.1
Update Date:2018-04-06
Keywords:

Solution Type  Predictive Self-Healing Sure

Solution  2010932.1 :   CVE-2014-3566 - Fix Availability Document for Oracle Communications User Data Repository  


Related Items
  • Oracle Communications User Data Repository
  •  
Related Categories
  • PLA-Support>Sun Systems>CommsGBU>Broadband Network Solutions>SN-SND: Tekelec SDM
  •  




In this Document
Purpose
Scope
Details


Applies to:

Oracle Communications User Data Repository
Tekelec

Purpose

This document provides details on the configuration changes necessary to mitigate the security vulnerability referenced by CVE-2014-3566.

Scope

Oracle Communications User Data Repository (OCUDR) Version 10.0

Details

A standard Oracle Communications User Data Repository (OCUDR) deployment may include a combination of physical application servers, virtualized application servers, Tekelec Virtual Operating Environment (TVOE) host servers, and Platform Management & Configuration (PM&C) servers.  OCUDR applications servers may include a combination of NOAM, SOAM and MP servers...

 

The following table lists the server types and which procedure(s) are applicable:

Server Type

SSL Server

Procedure

   NOAM

   SOAM

Apache (httpd)

Procedure 1 and

Procedure 2

   PM&C

   *if included in deployment

Apache (httpd)

Procedure 1

Notes:

  1. Procedure 1 should be performed on ALL servers (Active / Standby / Spare) as the specific configuration files will not be automatically replicated.
  2. On the NOAM and SOAM, the steps to modify the certificate configurations file will have to be performed on each individual certificate configuration file as well as the main ssl.conf file. These changes will also need to be performed on the individual certificate configuration files after existing certificates are updated or new ones are added.  These files will have the naming format aw.ssl.hostname.conf, with hostname being the name of the server the certificate is for.  If certificates have not been added, then these files will not exist and Procedure 2 may be skipped.
  3. In order to be able to perform these steps on the PM&C, custom Certificates must not have ever been added using the Administration->Access Control->Certificate Management feature on the PM&C.
  4. After performing these steps on the PM&C, custom certificates can also not be added using the Administration->Access Control->Certificate Management feature on the PM&C.

 

Procedure 1

Step #

Steps

1.

 

   Log in as root on the server console

   login: root

   Password: <current root password>

 

2.

 

   Check out configuration file /etc/httpd/conf.d/ssl.conf  from revision control:

   # rcstool co /etc/httpd/conf.d/ssl.conf

 

3.

 

   Edit configuration file /etc/httpd/conf.d/ssl.conf  using a text editor:

   # vi /etc/httpd/conf.d/ssl.conf

 

   Find and comment out  the following line:

   SSLProtocol all -SSLv2

 

   To this:

   #SSLProtocol all –SSLv2

 

   Then find and edit the line that looks like:

   SSLProtocol -ALL +SSLv3 +TLSv1

 

   To this:

   SSLProtocol -ALL +TLSv1

 

   Save and exit the vi session.

 

   Verify that the changes were placed correctly:

   # grep SSLProtocol /etc/httpd/conf.d/ssl.conf

 

   You should get output that looks like:

   #SSLProtocol all –SSLv2

   SSLProtocol –ALL +TLSv1

 

4.

 

   Restart the httpd service

   service httpd restart

5.

 

   Check that the server DOES NOT support SSLv3:

   Note:  The connection will fail if SSLv3 is disabled.

 

   # openssl s_client -connect <IP Address>:443 -ssl3

 

 

 

   If the connection succeeds, the output in the command window will be something like:

   …

   New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

   Server public key is 1024 bit

   Secure Renegotiation IS supported

   Compression: NONE

   Expansion: NONE

   SSL-Session:

       Protocol  : SSLv3

       Cipher    : DHE-RSA-AES256-SHA

       Session-ID: 11F0EC8DF848007A8B8F51351734EF4DFEE6934F685FF10206A3CA9737FBE8F4

       …

       …

 

   If the connection fails, you should see in the command window something like:

 

   26914:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1092:SSL alert number 40

   26914:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:

 

6.

 

   Check the file into rcs to preserve changes during upgrades

   # rcstool ci /etc/httpd/conf.d/ssl.conf

 

 


Procedure 2

Step #

Steps

1.

 

   Log in as root on the server console

   login: root

   Password: <current root password>

 

2.

 

   Edit configuration file /etc/httpd/conf.d/aw.ssl.<hostname>.conf using a text editor

   Note: The hostname in the file name will vary based on the host the certificate is for.

 

   # vi /etc/httpd/conf.d/aw.ssl.<hostname>.conf

 

   Find and edit the following line:

   SSLProtocol all -SSLv2

 

   To this:

   #SSLProtocol all –SSLv2

 

   Then find and edit the line that looks like:

   SSLProtocol -ALL +SSLv3 +TLSv1

 

   To this:

   SSLProtocol -ALL +TLSv1

 

   Save and exit the vi session.

 

   Verify that the changes were placed correctly:

   # grep SSLProtocol /etc/httpd/conf.d/ssl.conf

 

   You should get output that looks like:

   #SSLProtocol all –SSLv2

   SSLProtocol –ALL +TLSv1

 

3.

 

   Check that the server DOES NOT support SSLv3:

   Note:  The connection will fail if SSLv3 is disabled.

 

   # openssl s_client -connect <IP Address>:443 -ssl3

 

 

 

   If the connection succeeds, the output in the command window will be something like:

   …

   New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

   Server public key is 1024 bit

   Secure Renegotiation IS supported

   Compression: NONE

   Expansion: NONE

   SSL-Session:

       Protocol  : SSLv3

       Cipher    : DHE-RSA-AES256-SHA

       Session-ID: 11F0EC8DF848007A8B8F51351734EF4DFEE6934F685FF10206A3CA9737FBE8F4

       …

       …

 

   If the connection fails, you should see in the command window something like:

 

   26914:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1092:SSL alert number 40

   26914:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:

 

4.

 

   Perform step 2 for all existing certificates by modifying all the   /etc/httpd/conf.d/aw.ssl.<hostname>.conf files

 

5.

 

   Restart the httpd service

   service httpd restart

 

 


Attachments
This solution has no attachment
  Copyright © 2018 Oracle, Inc.  All rights reserved.
 Feedback