Security problems

Edit online

Security problems in License Metric Tool might include issues with logging in to the application or those related to the security of your credentials and your environment. However, you can easily recover from these problems.

Login credentials and the authenticity token are stored as plain text in the HTTP packet.
After logging in, the login form that contains the credentials is sent as plain text in the HTTP packet. You can solve this issue by configuring SSL.
When creating a new user, autocomplete is enabled for the password field.
When creating a new user, the password field might be filled by autocomplete based on the password that is stored in the browser.
The server is not working properly after certificates are modified.
If the server is not working properly after certificates are modified and the server is restarted, then delete the License Metric Tool keystore file key_server.p12 and restart the server. The License Metric Tool keystore file is regenerated with a self-signed certificate. You can investigate the problem in the tema.log file.
Difficulty establishing a connection with HTTPS.
If you have difficulty when establishing a connection with HTTPS and you are using SSL, check that your browser supports TLS 1.2 and that it is enabled.
Changing HTTPS and TLS 1.2 settings.
Starting from application update 9.2.26, the use of HTTPS and TLS 1.2 is enforced.
To change the protocol from HTTPS to HTTP, perform the following steps.
  1. Open the server.xml file. By default, the file is in the following location.
    • Linux opt/ibm/LMT/wlp/usr/servers/server1
    • Windows C:\Program Files\ibm\LMT\wlp\usr\servers\server1
  2. Locate the following entry.
    <httpEndpoint host="*" httpsPort="9081" id="tema">
                <tcpOptions soReuseAddr="true" />
        </httpEndpoint>
  3. Change httpsPort to httpPort.
    <httpEndpoint host="*" httpPort="9081" id="tema">
                <tcpOptions soReuseAddr="true" />
        </httpEndpoint>
  4. Restart the server.
    1. Stop the server.
    2. Start the server.
To disable TLS 1.2, perform the following steps. (only available in versions older than 9.2.26)
  1. Edit the server.xml file.
    1. Open the server.xml file. By default, the file is in the following location.
      • Linux opt/ibm/LMT/wlp/usr/servers/server1
      • Windows C:\Program Files\ibm\LMT\wlp\usr\servers\server1
    2. Locate the following entry.
      <ssl clientAuthenticationSupported="false" id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2"/>
    3. Remove sslProtocol="TLSv1.2".
      <ssl clientAuthenticationSupported="false" id="defaultSSLConfig" keyStoreRef="defaultKeyStore"/>
  2. Edit one or both of the following files.
    • java.security - Starting from application update 9.2.26, the file is responsible for settings of the License Metric Tool server. In earlier application updates, it is also responsible for settings of the VM Manager Tool.
    • java_for_vmmt.security - The file is available from application update 9.2.26. It is responsible for settings of the VM Manager Tool.
    1. Open the file. By default, it is in the following location.
      • Linux opt/ibm/LMT/jre/jre/lib/security
      • Windows C:\Program Files\ibm\LMT\jre\jre\lib\security
    2. Locate the following entry.
      jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ 
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC
    3. Remove TLSv1 and TLSv1.1.
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, \ 
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC
  3. Restart the server.
    1. Stop the server.
    2. Start the server.
The single sign-on configuration values are not updated automatically after you modify the server port.
Modifying the port number on the Server Settings pane in License Metric Tool while single sign-on is enabled invalidates the single sign-on configuration. For information how to properly modify the port, see Modifying port in License Metric Tool that has single sign-on enabled.
If you already modified the License Metric Tool server port and are experiencing issues signing onto License Metric Tool, you need to:
  1. Revert the disabled SSO configuration for SAML or Revert the disabled SSO configuration for LTPA.
  2. Provide the new port value on the Server Settings page. To access the page, click Management > Server Settings.
  3. Re-create the single sign-on configuration with the new port value. For more information, see either Configuring SSO based on SAML token or Configuring SSO based on LTPA.
After you log in to License Metric Tool for the first time with single sign-on enabled, you are redirected to an IBM icon instead of the overview page.
To recover from this error, follow the instructions in Handling the favicon.ico file with Mozilla Firefox.
When you log in to License Metric Tool using the LDAP authentication, the following error message is displayed: Error contacting the Directory Server for authentication.
The error might occur if the SSL LDAP certificate that is used to authenticate users in License Metric Tool was recently updated. To refresh the certificate in the License Metric Tool database, perform the following actions:
  1. Log in to License Metric Tool as a local administrator.
  2. In the top navigation bar, click Management > Directory Servers.
  3. Choose the LDAP server that is used to authenticate users.
  4. Click Test Connection, and wait for connection test to finish.
  5. Select Trust Certificate to make the certificate trusted.
  6. Click Save.
Antivirus software detects the LMT/CIT directory as possible threat.
The LMT/CIT directory is one of the default scanner directories that is required by License Metric Tool. It is not infected with any malicious software and does not pose any threat to your system. It is recommended to exclude this directory from antivirus scans.
Secure connection is not initialized and the CWWKO0801E error can be found in the tema.log file.
Secure connection is not initialized and the following error can be found in the tema.log file.
000000b7 com.ibm.ws.channel.ssl.internal.SSLHandshakeErrorTracker 
CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied 
or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: 
Client requested protocol TLSv1 not enabled or not supported.
To solve the problem, enable TLS 1.2 in IBM Java. For more information, see: Enabling TLS 1.2 in IBM Java.
Weak cipher suites are enabled
Staring from application update 9.2.29, the following cipher suites are disabled:
  • TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA TLS 1.2
  • TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
  • TLS_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2
To have these cipher suites disabled, update the License Metric Tool server to the latest application update.

If you use BigFix® in version 9.5.18 or higher, you can additionally disable the TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite to further harden the security. Do not disable this suite if you use a lower version of BigFix as it will cause that the License Metric Tool server cannot to connect to the BigFix server.

To disable the TLS_RSA_WITH_AES_256_GCM_SHA384 cipher suite, perform the following steps.
  1. Log in to the computer on which the License Metric Tool server is installed.
  2. Open the java_for_lmt.security file. The file is in the following location: <LMT_install_dir>\wlp\usr\servers\server1\resources\security.
  3. Add TLS_RSA_WITH_AES_256_GCM_SHA384 to the jdk.certpath.disabledAlgorithms parameter.
    jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, TLS_RSA_WITH_AES_128_CBC_SHA, \
    TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, \
    TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384
  4. Restart the License Metric Tool server.
    1. Stop the server.
    2. Start the server.