Hardening of PMP SSL/TLS configuration

Hardening of PMP SSL/TLS configuration

My site is in the process of hardening all of our services that require authentication. I upgraded our PMP install to version 8.1 (8101) and I configured it with a globally trusted certificate.

I then ran a nmap scan against the install for the script ssl-enum-ciphers on the port 7272.  Much to my surprise, it reported back that SSLv3 ciphers are turned on.

The results were:
7272/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|     compressors:
|       NULL
|_  least strength: strong

I changed the server.xml file according to another PMP post recommendation:

To turn off SSL 3.0 on PMP


I did this and once the nmap is ran again the only protocol that shows is the TLSv1.0, which is better than having it respond to SSL 3.0.

7272/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Reading through the other product forums I found that by adding TLSv1, TLSv1.1, TLSv1.2 to the SSLprotocols= line we get the other flavors of TLS turned on..

  • stop the PMP service and take a backup of the server.xml file present in PMP/conf directory.
  • Edit this file with wordpad and look for the value   sslProtocol="TLS" .
  • Change it to  SSLProtocols="TLSv1,TLSv1.1,TLSv1.2"  and save the file.
    • NOTE THE SSLProtocol is now Plural (s) added to it. (This will disable SSLv3 in tomcat server)
  • Change it in both the lines you find in the file.
  • Then start the PMP service and you should be able to connect to the webpage.

I did this and get these results back.

7272/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|     compressors:
|       NULL
|_  least strength: strong

So by making these changes it fixes the default build of having SSL 3.0 ciphers (old demoted ciphers) available and just leaving the more secure TLS running. I will be turning the older TLS's off shortly.

Hope this helps others in their quest of a better security posture for your organizations.



                  New to ADSelfService Plus?