Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
4 replies Latest Post - ‏2012-11-05T10:32:16Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic Common criteria mode

‏2012-08-29T11:20:53Z |
Hi

We are seeing error message in our logs that is a audit error entry. It says that the connect from an IP Address to 0.0.0.0:listening port has been rejected. The help text when I click on the error reads "Connection rejected - not allowed by ACL (CC Mode only).".

After some investigation we found that for some reason the appliance is in Common criteria mode.

The HTTPS front-side handler associated with the port on which the connection are being reject has an ACL configured.

We have 3 other appliance that are not in common criteria mode with the same HTTPS front side handler configuration, however we are not getting the same error entry in the log.

I have not been able to find out exactly what is changed in common criteria mode.

So the question is if I am only seeing the error logged on one DataPower because it is in common criteria mode, but the same behavior happens on all the appliance and is just not logged on the other.

Or is common criteria changing the working of the DataPower.
Updated on 2012-11-05T10:32:16Z at 2012-11-05T10:32:16Z by SystemAdmin
  • Liv2luv
    Liv2luv
    573 Posts
    ACCEPTED ANSWER

    Re: Common criteria mode

    ‏2012-08-29T12:40:57Z  in response to SystemAdmin
    As you've figured out, it is the Common Criteria (CC) mode not allowing a connection on 0.0.0.0

    CC mode enforces additional security (EAL4 in case of DataPower) , see below:

    http://en.wikipedia.org/wiki/Evaluation_Assurance_Level
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: Common criteria mode

      ‏2012-08-29T15:30:46Z  in response to Liv2luv
      Thanks for the feedback.

      I do have many other front-side handlers on the appliances that works perfectly without problems listening on 0.0.0.0. There is one difference and that this is the only FSH with an ACL.

      To further complicate the problem I can see accepted connection in the xact log from the same the same IP and looking closer at the logs, it seems like the connection is accepted, based on the exact log and rejected the audit error in the system log.

      It almost seems that it is incorrectly logging the event in the system log.
      • SystemAdmin
        SystemAdmin
        6772 Posts
        ACCEPTED ANSWER

        Re: Common criteria mode

        ‏2012-10-16T01:19:47Z  in response to SystemAdmin
        Can you check if you can connect to this box using HTTP?

        If you do not require CC mode, you will have to reinitialise your appliance to disable it.

        Cheers
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: Common criteria mode

          ‏2012-11-05T10:32:16Z  in response to SystemAdmin
          Thanks.

          We did re-initialise the DataPower in the end.