ITM Agent Insights: Security scans reporting "weak cyphers" or vulnerable ports against ITM / ITCAM agents.
DougDoering 120000E6GG Visits (9070)
In general with Tivoli Monitoring agents, problems related to "weak cyphers" or a specific "port" coming up in a security scan being cited as vulnerable are almost always related to Secure Socket Layer (SSL) communications (using IP.SPIPE or IP6.SPIPE communication method), or the IBM HTTP Server. Both of these rely on The IBM Global Security Kit (GSKIT) embedded package to provide the SSL protocols / ciphers for communication. The IP.SPIPE / IP6.SPIPE communication is a separate channel than the communication to the embedded IBM HTTP Server, but since both rely for GSKIT to provide SSL communication, the configuration options and external environment variables that impact GSKIT protocols / cyphers apply to both.
The level of GSKIT that ITM includes ("GS" component) and the available environment variables for controlling those levels of GSKIT will impact possible recommendations to resolve reported security vulnerabilities.
Gather the ITM environment information to understand what levels of GSKIT are being used, as well as to review the current ITM communication protocol settings for KDC_FAMILIES.
If a security scan is flagging a specific port, it may be port 3661 which is the default well-known port for the embedded IBM HTTP Server.
If the issue is related to the IBM HTTP Server, depending on what components are installed on the system being reported in your security scan, we may be able to disable the IBM HTTP Server completely so that it does not acquire port 3661
ITM Port Usage and Limiting Port Usage
Default ports allocated by ITM components during startup
Avoiding Conflicts with ITM process port number usage
Referenced technote 1422918 has been archived, the information previously documented in this technote are now in the following blog:
Please note there is a fundamental difference between disabling function so a port is not acquired, or controlling which port is chosen for a specific function, than there is in controlling the protocol / cipher used in relation to the communications over any specific port.
If the security scan cites a specific CVE, review that specific CVE to identify any ITM APAR providing the fix, and then refer to that APAR for the details of ITM fixing levels.
Security Bulletin: Vulnerability in SSLv3 affects IBM Tivoli Monitoring (CVE-2014-3566)
This CVE cites APAR IV68044
It provides "patch" installs for the IV68044 APAR that can be applied to 6.3 FP4 and
From the closing text of IV68044:
The fix for this APAR is contained in the following maintenance packages:
It is important to realize that there are often multiple changes incorporated dealing with security vulnerabilities as more CVEs are discovered / addressed.
ITM has made enhancements to control / disable vulnerable protocols along with uplifting the GSKIT package that ITM ships at various levels.
APAR IV72984 - Available but disabled SSLv3 ciphers cause false-positives in security scans.
In old releases of ITM (6.10 / 6.20 / 6.21 / 6.22 / 6.23), older GSKIT packages were used, which allowed for possible SSLv1 / SSLv2 / SSLv3 protocols.
In the past, environment variables to disable different protocols were recommended that no longer apply to current ITM releases and do not work with GSKIT v8:
DCF 1413620 Setting SSL v3 in ITM 6 environment
DCF 1315078 Disabling SSLv2 in ITM 6.x
These GSK_PROTOCOL_* variables do NOT disable SSLV2 or SSLV3 or TLSV1 protocols with current ITM 6.3 release which relies on more recent GSKIT v8 package.
To understand the available protocols / ciphers, review the RAS1 logs by looking in the -01.log segment for the section that describes the "GSKIT Environment":
gs IBM GSKit Security Interface