IBM Support

Updated instructions about disabling the SSLv3 protocol in deployed instances (POODLE attack)

Troubleshooting


Problem

The IBM Cloud Orchestrator V2.4.0.2 User's Guide describes how to disable the SSLv3 protocol due to a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. However, some information is missing from that topic in the User's Guide.

Resolving The Problem

Replace the current content of the User's Guide topic with the following text.

Disabling the SSLv3 protocol in deployed instances

After upgrading to IBM Cloud Orchestrator V2.4.0.2, you must disable the SSLv3 protocol, due to a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. In a new installation of IBM Cloud Orchestrator V2.4.0.2 (that is, not an upgrade), the SSLv3 protocol is disabled by default.

Before you begin


  1. Upgrade to IBM Cloud Orchestrator V2.4.0.2, as described in Upgrading.

  2. Upgrade the shared service caching service (if instances exist) to caching service V2.1.0.4. For instructions about how to upgrade shared services, see Updating shared service instances in the IBM PureApplication System product documentation.

    Note: Caching service V2.1.0.0 and earlier instances cannot be upgraded to caching service V2.1.0.4. For these instances, you must delete any existing caching service prior to upgrading the foundation pattern types. After the foundation pattern types upgrade, deploy the new caching service instances of service V2.1.0.4 as described in this topic.

  3. Download the 2.4.0-CSI-ICO-FP0002-WORKLOAD-DEPLOYER-efixes.tgz compressed file from IBM Fix Central, and extract the contents to a temporary directory.

    The 2.4.0-CSI-ICO-FP0002-WORKLOAD-DEPLOYER-efixes.tgz file contains the required emergency fixes for the Java runtime environment (JRE) for IBM Cloud Orchestrator V2.4.0.2, and includes the following files:
    • Java_Update_AIX.zip
    • Java_Update_Linux.zip
    • Java_Update_Windows.zip
    • poodle_vsys_ifix.zip
      • monitoring_parms.json
      • update.py
    Note: The IBM Cloud Orchestrator V2.4.0.2 JRE emergency fixes that are mentioned in this topic provide fixes primarily for the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, but also provide fixes for the Factoring RSA Export Keys (FREAK) and Bar Mitzvah attacks.

About this task

This task describes mitigation procedures for deployed instances of virtual application patterns, shared services, and virtual system patterns, in addition to deployed instances of virtual system patterns (classic). After you upgrade, and apply the mitigation steps and the IBM Cloud Orchestrator V2.4.0.2 JRE emergency fix, the Java management processes that are running on deployed virtual machines are configured to support the SSL_TLSv2 protocol suite. The SSL_TLSv2 protocol suite enables TLSv1.2, TLSv1.1, TLSv1, and SSLv3 in that precedence order. By default, SSLv3 is disabled by the JRE. Therefore, SSL_TLSv2 enables only the TLS protocols: TLSv1.2, TLSv1.1, and TLSv1. At runtime during the client and server SSL handshake, the best protocol that the client and server have in common is selected. For example, TLSv1.2 is selected if both the client and the server support TLSv1.2. For more information about the default protocol configuration for the JRE, see Alternative mitigation options.

Using IBM OS Images for Red Hat Linux Systems

Download the IBM OS Image for Red Hat Linux Systems: 2.1.1.0 (RHEL 6.6) image from the IBM Passport Advantage Online website. This image contains the required runtime upgrade of IBM SDK, Java Technology Edition, V6 SR16 FP3 or later.



Note: SSLv3 is disabled by the JRE default policy in the new base operating system images, unless you remove the jdk.tls.disabledAlgorithms=SSLv3 property from the JRE java.security file.

Using custom images

Custom images include the following types of image:

  • cloud-init (cloudbase-init) activated images

    • For instances that are running on cloud-init (cloudbase-init) activated images, to disable SSLv3 you must complete the steps listed in Updating virtual application instances, shared service instances, and virtual system instances. You do not need to rebuild the image because the JRE is not required for the cloud-init (cloudbase-init) activated images in order to use them for virtual system instances.
  • IBM SmartCloud Orchestrator V2.3 or V2.3.0.1 images

    • For instances that are running on IBM SmartCloud Orchestrator V2.3 or V2.3.0.1 images, to disable SSLv3 you must complete the steps listed in Updating virtual system instances (classic). To remove the vulnerability for new instances that are created with IBM SmartCloud Orchestrator V2.3 or V2.3.0.1 images, you must update the JRE that is embedded within such images.

Prerequisites for creating new instances

For new pattern deployments that use new base operating system images, complete the following steps:

  • For new virtual application pattern deployments, new shared service deployments, and new virtual system pattern deployments, use the following procedure to change the default deployment settings to add the new operating system images:
    1. Click Cloud > Default Deploy Settings.
    2. In the Action menu, click Delete to delete the old base operating system image.
    3. Click Add to add the new version of the base operating system image.
  • For new virtual system pattern (classic) deployments, use the new patterns that are built on the new operating system images.

Updating virtual application instances, shared service instances, and virtual system instances

To disable the SSLv3 protocol in virtual application instances, shared service instances, and virtual system instances, complete the following steps.


  1. Upgrade the pattern type to the following version:
    Foundation-ptype Version 2.1.0.4
    Ensure that the pattern type is imported and enabled.

  2. For each virtual application instance and virtual system instance that is running on Intel operating systems (ESX hypervisor backend), use the following steps to disable the automatic snapshot before applying the IBM Cloud Orchestrator V2.4.0.2 JRE emergency fix:
    1. Click Patterns > Pattern Instances and select the instance type.
    2. Click the instance. The instance details are displayed.
    3. Scroll to From pattern and expand Snapshots.
    4. Click Disable Automatic Snapshots.

  3. For each virtual application instance and virtual system instance, open the details page for the instance and click Check for updates.

  4. Import the IBM Cloud Orchestrator V2.4.0.2 JRE emergency fix to the catalog. Use one of the following packages, depending on the target operating system:
    • Java_Update_AIX.zip
    • Java_Update_Linux.zip
    • Java_Update_Windows.zip

      For instructions about how to import and apply emergency fixes to instances, see Adding emergency fixes to the catalog in the IBM PureApplication System product documentation.

      When you import the emergency fix, scroll to the Applicable to area. Edit the Plugins list to specify the vsys.base plug-in.

  5. Apply the IBM Cloud Orchestrator V2.4.0.2 JRE emergency fix to each virtual application instance, shared service instance, and virtual system instance.

  6. Restart each instance or individual virtual machine so that the JRE updates take effect.

  7. Verify that SSLv3 is disabled and that the deployed virtual machine supports TLSv1.2 protocols, by running the following command:
    deployer.virtualapplications.get("deployment_id").virtualmachines[number].check_compliance()
    Example:
    deployer.virtualapplications.get("d-4e04e98d-8c3d-4bec-bab1-ca033419ffc3").virtualmachines[0].check_compliance()

  8. If a caching service instance is running, deploy a new caching service instance by using the new version of the caching service plug-in, as follows:
    1. Click Manage > Operations > Caching-Master.Caching > Grid Administration > Create grid to go to the new caching service instance.
    2. Create a session grid with a dedicated user name and password and a proper grid cap for the web application.
    3. Use a Secure Shell (SSH) connection to connect to the virtual machine where IBM WebSphere® Application Server is running.
    4. Run the following command on one line:
      /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/bin/wsadmin.sh
      -lang jython
    5. Run the following command on one line to configure the web application session management with the new caching service IP, user, password, and grid name. The following command uses the example of configuring the HttpSessionSample.war web application.
      AdminApp.edit(’HttpSessionSample.war’, ’[-SessionManagement
      [[true XC10SessionManagement "’ +       caching_service_instance_ip
      + ’:!:’ +       user_name + ’:!:’ + password + ’:!:’ + grid_name ]]]')
    6. Locate the web application splicer.properties file, and set reuseSessionId=true.
    7. Restart WebSphere Application Server so that the new configuration takes effect.

Updating virtual system instances (classic)

To disable the SSLv3 protocol in virtual system instances (classic), use a Secure Shell (SSH) connection to connect to each virtual machine and complete the following steps.


  1. Use one of the following procedures to upgrade pattern types:
    • Directly apply the emergency fix:
      1. Import the poodle_vsys_ifix.zip file to the IBM Cloud Orchestrator catalog. When you import the emergency fix, scroll to the Applicable to area. Edit the Images list to specify the images to which the fix should be applied.
      2. Apply the emergency fix to the virtual system instance (classic).
    • For virtual system instances (classic) where the root account login is disabled, the following steps apply only if the /0config directory exists (or c:\0config on Microsoft Windows):
      1. Copy the update.py file and the monitoring_parms.json file to each virtual machine.
        For Linux and AIX virtual machines, copy the two files to the /0config directory. For Windows virtual machines, copy the two files to the C:\0config directory.
      2. Run the following command from the /0config directory:
        python update.py
        For Windows, open a command-line window with Administrator privileges (“Run as Administrator”) and run the command.

        The python script does the following actions:
        1. Updates the topology using the latest plug-ins from Foundation-ptype Version 2.1 if it exists on the virtual machine.
        2. Stops the Workload Deployer management and monitoring processes on the virtual machine.
        3. Cleans up related paths and files.
        4. Restarts the 0config initialization process to upgrade Foundation-ptype, if necessary.
  2. Import the IBM Cloud Orchestrator V2.4.0.2 JRE emergency fix to the catalog.

  3. Apply the IBM Cloud Orchestrator V2.4.0.2 JRE emergency fix to the extended virtual system instance (classic).

    Note: While applying the fix to each instance running on Intel operating systems, clear the Take a snapshot before service is applied check box.

  4. Restart your virtual machine so that the updates take effect.

  5. Verify that SSLv3 is disabled and that the deployed virtual machine supports TLSv1.2 protocols:
    1. Run the following command:
      openssl s_client -connect vm_ip:9999
      where vm_ip is the IP address of the deployed virtual machine.
    2. SSH into each virtual machine and run the following command:
      /opt/IBM/ibm_java_dir/jre/bin/java -version
      For virtual machines running IBM SDK, Java Technology Edition, V6 (virtual system instances (classic)), the version is updated to SR16 FP3. For virtual machines running IBM SDK, Java Technology Edition, V7 (virtual application instances, shared service instances, and virtual system instances), the version is updated to SR8 FP10.
      Tip: The SR number is shown as part of the build identifier in the output of the java -version command.
    3. Run the following command:
      openssl s_client -connect vm_ip:9999 -ssl3
      where vm_ip is the IP address of the deployed virtual machine.

Disabling the SSLv3 protocol in the Workload Deployer component

After you upgrade all instances as described in this topic, you must turn off the SSLv3 support on the Workload Deployer component. SSLv3 can be disabled by a JRE default policy. On the Workload Deployer server, add the jdk.tls.disabledAlgorithms=SSLv3 property to the following JRE file:



/opt/ibm/javax86_64-70/jre/lib/security/java.security

[{"Product":{"code":"SS4KMC","label":"IBM SmartCloud Orchestrator"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Documentation","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"2.4;2.4.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21883452

Page Feedback