IBM Support

ITM Agent Insights: Security scans reporting "weak cyphers" or vulnerable ports against ITM / ITCAM agents.

Technical Blog Post


Abstract

ITM Agent Insights: Security scans reporting "weak cyphers" or vulnerable ports against ITM / ITCAM agents.

Body

In general with Tivoli Monitoring agents, problems related to "weak cyphers" or a specific "port" coming up in a security scan being cited as vulnerable are almost always related to Secure Socket Layer (SSL) communications (using IP.SPIPE or IP6.SPIPE communication method), or the IBM HTTP Server.  Both of these rely on The IBM Global Security Kit (GSKIT) embedded package to provide the SSL protocols / ciphers for communication.  The IP.SPIPE / IP6.SPIPE communication is a separate channel than the communication to the embedded IBM HTTP Server, but since both rely for GSKIT to provide SSL communication, the configuration options and external environment variables that impact GSKIT protocols / cyphers apply to both.

The level of GSKIT that ITM includes ("GS" component) and the available environment variables for controlling those levels of GSKIT will impact possible recommendations to resolve reported security vulnerabilities.

Gather the ITM environment information to understand what levels of GSKIT are being used, as well as to review the current ITM communication protocol settings for KDC_FAMILIES.

 

If a security scan is flagging a specific port, it may be port 3661 which is the default well-known port for the embedded IBM HTTP Server.

If the issue is related to the IBM HTTP Server, depending on what components are installed on the system being reported in your security scan, we may be able to disable the IBM HTTP Server completely so that it does not acquire port 3661

ITM Port Usage and Limiting Port Usage
http://www-01.ibm.com/support/docview.wss?uid=swg21589289

Default ports allocated by ITM components during startup
http://www-01.ibm.com/support/docview.wss?uid=swg21388882

Avoiding Conflicts with ITM process port number usage
http://www-01.ibm.com/support/docview.wss?uid=swg21456737

Referenced technote 1422918 has been archived, the information previously documented in this technote are now in the following blog:
Sitworld:  ITM Protocol Usage and Protocol Modifiers  
https://www.ibm.com/developerworks/community/blogs/jalvord/entry/sitworld_itm_protocol_usage_and_protocol_modifiers?lang=en

Please note there is a fundamental difference between disabling function so a port is not acquired, or controlling which port is chosen for a specific function, than there is in controlling the protocol / cipher used in relation to the communications over any specific port.

 

If the security scan cites a specific CVE, review that specific CVE to identify any ITM APAR providing the fix, and then refer to that APAR for the details of ITM fixing levels.

Example:

Security Bulletin: Vulnerability in SSLv3 affects IBM Tivoli Monitoring (CVE-2014-3566)
http://www-01.ibm.com/support/docview.wss?uid=swg21691775

This CVE cites APAR IV68044

It provides "patch" installs for the IV68044 APAR that can be applied to 6.3 FP4 and
6.3.0-TIV-ITM-FP0004-IV68044
6.2.3-TIV-ITM-FP0005-IV68044
6.2.2-TIV-ITM-FP0009-IV68044
6.21/6.20 upgrade to one of the releases above where a patch is available. If unable to upgrade, contact IBM support


APAR IV68044 - POODLE 2 PAD BYTE ENFORCEMENT
https://eclient.lenexa.ibm.com:9445/search/?fetch=source/APAR/IV68044
***
NOTE:
Once IV68044 has been installed on a management server, older
agents running IBM Tivoli Monitoring 6.2.1 and 6.2.0 shared
components  will not able able to connect.
 
If an agent is running with IBM GSKit  Security Interface
7.3.x.x or lower (component GS) , it will not longer be able to
connect to a management server once IV68044 provisional or 6.3.0
FP5 has been installed, due to APAR IV68044.  This is because
the older GSKit version only supports SSL and APAR IV68044
disables the use of SSL.   The IBM TIvoli Monitoring GSKit
version needs to be at 7.4 or later.
***

From the closing text of IV68044:

The fix for this APAR is contained in the following maintenance packages:
 
  | fix pack | 6.3.0-TIV-ITM-FP0005
  | provisional | 6.3.0-TIV-ITM-FP0004-IV68044
  | provisional | 6.2.3-TIV-ITM-FP0005-IV68044
  | provisional | 6.2.2-TIV-ITM-FP0009-IV68044

 

It is important to realize that there are often multiple changes incorporated dealing with security vulnerabilities as more CVEs are discovered / addressed.

ITM has made enhancements to control / disable vulnerable protocols along with uplifting the GSKIT package that ITM ships at various levels.

 

APAR IV72984 - Available but disabled SSLv3 ciphers cause false-positives in security scans.
https://eclient.lenexa.ibm.com:9445/search/?fetch=source/APAR/IV72984
***
The code is changed to remove disabled SSLv3 ciphers from the suite inventory.
 
 
The fix for this APAR is contained in the following maintenance packages:
 
   | fix pack | 6.3.0-TIV-ITM-FP0005
***

 

In old releases of ITM (6.10 / 6.20 / 6.21 / 6.22 / 6.23), older GSKIT packages were used, which allowed for possible SSLv1 / SSLv2 / SSLv3 protocols.

In the past, environment variables to disable different protocols were recommended that no longer apply to current ITM releases and do not work with GSKIT v8:

DCF 1413620 Setting SSL v3 in ITM 6 environment

DCF 1315078 Disabling SSLv2 in ITM 6.x
http://www-01.ibm.com/support/docview.wss?uid=swg21315078

GSK_PROTOCOL_SSLV2=OFF
GSK_PROTOCOL_SSLV3=OFF
GSK_PROTOCOL_TLSV1=OFF

 

These GSK_PROTOCOL_* variables do NOT disable SSLV2 or SSLV3 or TLSV1 protocols with current ITM 6.3 release which relies on more recent GSKIT v8 package.

 

 

To understand the available protocols / ciphers, review the RAS1 logs by looking in the -01.log segment for the section that describes the "GSKIT Environment":

 

6.3 FP2:

gs      IBM GSKit Security Interface
         aix523  Version: 08.00.50.05
         aix526  Version: 08.00.50.05

 

kbbssge.c,47,"BSS1_GetEnv") KDEBE_V3_CIPHER_SPECS=GSK_V3_CIPHER_SPECS="352F0A" (default)
kbbssge.c,55,"BSS1_GetEnv") KDEBE_TLSV10_CIPHER_SPECS=GSK_TLSV10_CIPHER_SPECS=""
kbbssge.c,55,"BSS1_GetEnv") KDEBE_TLSV11_CIPHER_SPECS=GSK_TLSV11_CIPHER_SPECS=""
kbbssge.c,55,"BSS1_GetEnv") KDEBE_TLSV12_CIPHER_SPECS=GSK_TLSV12_CIPHER_SPECS=""

kdebenc.c,689,"ssl_provider_constructor") GSKit Environment
                       Version Number: 8.0.50.5
                         Keyring File: /opt/IBM/ITM-79394/keyfiles/keyfile.kdb
                   Keyring Stash File: /opt/IBM/ITM-79394/keyfiles/keyfile.sth
                        Keyring Label: IBM_Tivoli_Monitoring_Certificate
                   SSL V2 CipherSpecs: Disabled
                   SSL V3 CipherSpecs: 352F0A
                  TLS 1.0 CipherSpecs: TLS_RSA_WITH_AES_128_CBC_SHA
                                       TLS_RSA_WITH_AES_256_CBC_SHA
                                       TLS_RSA_WITH_3DES_EDE_CBC_SHA
                  TLS 1.1 CipherSpecs: TLS_RSA_WITH_AES_128_CBC_SHA
                                       TLS_RSA_WITH_AES_256_CBC_SHA
                                       TLS_RSA_WITH_3DES_EDE_CBC_SHA
                  TLS 1.2 CipherSpecs: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                                       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
                                       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
                                       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
                                       TLS_RSA_WITH_AES_128_GCM_SHA256
                                       TLS_RSA_WITH_AES_256_GCM_SHA384
                                       TLS_RSA_WITH_AES_128_CBC_SHA256
                                       TLS_RSA_WITH_AES_256_CBC_SHA256
                                       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
                                       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
                                       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
                                       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

 

Note that at 6.3 FP2, SSLv2 is disabled by default, but allows for SSLv3 as well as TLS 1.x protocols.

Starting with 6.3 FP2 level, three KDEBE_TLSV1*_CIPHER_SPECS= variables were added that can control the ciphers allowed for TLS v1.0, TLS v1.1, and TLS v1.2 protocols.


KDEBE_TLSV10_CIPHER_SPECS="<protocol>,<protocol>..."

KDEBE_TLSV11_CIPHER_SPECS="<protocol>,<protocol>..."

KDEBE_TLSV12_CIPHER_SPECS="<protocol>,<protocol>..."

 

6.3 FP5:

gs      IBM GSKit Security Interface
         aix526  Version: 08.00.50.36

kdebenc.c,728,"ssl_provider_constructor") GSKit Environment
                    Version Number: 8.0.50.36
                      Keyring File: /opt/IBM/L2IsNotTest/keyfiles/keyfile.kdb
                Keyring Stash File: /opt/IBM/L2IsNotTest/keyfiles/keyfile.sth
                     Keyring Label: IBM_Tivoli_Monitoring_Certificate
                SSL V2 CipherSpecs: Disabled
                SSL V3 CipherSpecs: Disabled

               TLS 1.0 CipherSpecs: TLS_RSA_WITH_AES_128_CBC_SHA
                                    TLS_RSA_WITH_AES_256_CBC_SHA
                                    TLS_RSA_WITH_3DES_EDE_CBC_SHA
               TLS 1.1 CipherSpecs: TLS_RSA_WITH_AES_128_CBC_SHA
                                    TLS_RSA_WITH_AES_256_CBC_SHA
                                    TLS_RSA_WITH_3DES_EDE_CBC_SHA
               TLS 1.2 CipherSpecs: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                                    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
                                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
                                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
                                    TLS_RSA_WITH_AES_128_GCM_SHA256
                                    TLS_RSA_WITH_AES_256_GCM_SHA384
                                    TLS_RSA_WITH_AES_128_CBC_SHA256
                                    TLS_RSA_WITH_AES_256_CBC_SHA256
                                    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
                                    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
                                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
                                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
                 FIPS Mode Enabled: No
                  SSL Library Path: /opt/IBM/L2IsNotTest/aix526/gs/lib64/libgsk8ssl_64.so

 

Note that 6.3 FP5 ships APAR changes for both IV68044 and IV72984

OS agents at 6.3 FP5 or higher include a sufficiently high level of GSKIT where both SSLv2 and SSLv3 protocols are disabled by default, leaving only the TLS protocols with their available ciphers.

 

 

At 6.3 FP7 - 6.3.0-TIV-ITM-FP0007 - additional environment variables were implemented with APAR IV82451 to enable or disable specific TLS protocols:

 

IV82451: SSL PROTOCOL SELECTION OF TLS 1.0, TLS 1.1, TLS 1.2
http://www-01.ibm.com/support/docview.wss?uid=swg1IV82451

KDEBE_TLS10_ON=NO
KDEBE_TLS11_ON=NO
KDEBE_TLS12_ON=NO

 

 

 

Keywords:
drd401709

KDEBE_V3_CIPHER_SPECS=

GSK_V3_CIPHER_SPECS=

 

Additional ITM Agent Insights series of IBM Tivoli Monitoring Agent blogs are indexed under ITM Agent Insights: Introduction.

 

Tutorials Point

Subscribe and follow us for all the latest information directly on your social feeds:

 

imageimageimage

Check out all our other posts and updates:

Academy Blogs
Academy Videos
Academy Google+
Academy Twitter

image

 

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

UID

ibm11082973