LogJam browser vulnerability impact on B2B Data Exchange/Data
Integration Hub installation with HTTPs enabled, accessed through
Chrome
Due to the LogJAM vulnerability, existing DX/DIH Consoles cannot be reached using Chrome anymore.
This due to a Chrome update that forbids connecting to a vulnerable server. A screenshot of the issue in
Chrome is displayed below.
The fix requires removal of the offending ciphers in the DX/DIH Tomcat server.xml file.
You can find the server.xml in
<DX/DIH Install Root>/apache-tomcat-<version>/conf/server.xml .
To fix:
1. Make a copy of the original server.xml file
2. Edit the server.xml file as follows
a. Find the element “Connector” that has an attribute with name “ciphers”
b. Remove any cipher that has the fragment _DHE_ in it
c. Save the server.xml file
3. Restart the Operation Console
See below for an example of what the corrected element looks like.
An already patched server.xml file is attached.
Please note that the actual values for the HTTPs port may vary.
server.xml
DX/DIH in a Chrome browser connected to an unpatched (vulnerable) installation.
Fixed Connector element in the server.xml file (9.6.1/HF1).
Note that the actual file can have different port values.
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<!-- INFA change: The encoding of the output is now UTF-8, the port is
now 18443, and the keystore is now set. -->
<Connector port="18443" maxHttpHeaderSize="8192"
protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
URIEncoding="UTF-8"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA"
keystoreType="PKCS12"
keystoreFile="conf/Default.keystore"
keystorePass="changeit"
server="unknown"
/>
Original HTTPs connector element in the server.xml file (9.6.1/HF1).
To fix the LogJAM issue, the lines marked in red must be removed.
Note that the actual file can have different port values.
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<!-- INFA change: The encoding of the output is now UTF-8, the port is
now 18443, and the keystore is now set. -->
<Connector port="18443" maxHttpHeaderSize="8192"
protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
URIEncoding="UTF-8"
ciphers="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA"
keystoreType="PKCS12"
keystoreFile="conf/Default.keystore"
keystorePass="changeit"
server="unknown"
/>