Configure SVM On-Prem Server with SSL/TLS1.2

Configure SVM On-Prem Server with SSL/TLS1.2

Summary

Configure the Software Vulnerability Manager On-Prem server to use SSL-only connections with the SVM Agent, SVM Daemon, SCCM Plugin, and the Internet Explorer plugin interface. 

Synopsis

You need to perform the following steps:

1. Import/create an SSL certificate.
2. Configure Apache to use SSL.
3. (Recommended) Disable Ordinary HTTP://.

SSL Certificate

If you are using your certificate authority (CA) or you have purchased a certificate to sign the SSL connection you need to import this certificate on the Corporate Software Inspector RHEL server.

1. Copy your PFX file to Corporate Software Inspector.
2. Extract the private key:

openssl pkcs12 -in cert_name.pfx -nocerts -out cert_name.key

3. Remove the password from your key, so httpd will start without prompting for it:

mv cert_name.key cert_name.key.secure
openssl rsa -in cert_name.key.secure -out cert_name.key

4. Generate the public certificate:

openssl pkcs12 -in cert_name.pfx -clcerts -nokeys -out certificate.crt

5. Copy the files to the proper locations:

cp cert_name.key /etc/pki/tls/private/
cp certificate.crt /etc/pki/tls/certs/

Creating a Self-signed SSL Certificate

If you do not have a local CA, you can create a self-signed certificate.
An example implementation is shown below:

1. Generate your private key:

openssl genrsa -des3 -out csi.key 1024

2. Generate a Certificate Signing Request (CSR). Fill in the questions with the appropriate values. Remember that the Common Name (CN) should match the hostname of your server:

openssl req -new -key csi.key -out csi.csr

3. Sign your certificate:

openssl x509 -req -days 365 -in csi.csr -signkey csi.key -out csi.crt

4. Remove password from your key, so httpd will start without prompting for it:

mv csi.key csi.key.secure
openssl rsa -in csi.key.secure -out csi.key

5. Copy the files to the proper locations:

cp csi.key /etc/pki/tls/private/
cp csi.crt /etc/pki/tls/certs/

Setting up Apache (httpd) to use SSL

To use SSL you should ensure that you have mod_ssl installed. If not, install it with this command:

yum install mod_ssl

Rename the ssl.conf file immediately after installing mod_ssl because it will break the httpd service:

mv /etc/httpd/conf.d/ssl.conf  /etc/httpd/conf.d/ssl.conf.bak

Each time you update your Red Hat system using 'yum update', you should go back to the same folder and rename/remove the new updated 'ssl.conf' file. You need to modify the ServerName with the name of the server given in the Apache configuration.

You should also ensure that the names of the certificates are correct and that all hosts support TLS (if they do not, use the less strict alternative or consolidate apache documentation on mod_ssl). The below is a sample reference implementation that you can use to help guide your setup.

For better support with old browsers and operating systems, add SSLv3 support by using:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Create the /etc/httpd/conf.d/secunia_ssl.conf file as follows:

LoadModule ssl_module modules/mod_ssl.so
Listen 8443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:8443>
<Location ?/?>
Order allow,deny
Allow from all
<LimitExcept POST GET HEAD>
Deny from all
</LimitExcept>
</Location>
DocumentRoot "/var/www/Secunia"
DirectoryIndex index.php index.html index.html.var
ServerName Secunia
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!MD5:!RC4:!DES
SSLCertificateFile /etc/pki/tls/certs/csi.crt
SSLCertificateKeyFile /etc/pki/tls/private/csi.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
BrowserMatch ".*MSIE [2-5]\..*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"
Header set X-Content-Security-Policy: "script-src 'self'"
Header set X-XSS-Protection: "1;mode=block"
Header set X-permitted-cross-domain-policies: "none"
Header set Strict-Transport-Security: "max-age=2592000;includeSubDomains"
ErrorDocument 403 "<h1 style='color:red'>Error 403: Permission Denied!</h1>"
ErrorDocument 404 "<h1 style='color:red'>Error 404: Not found!</h1>"
</VirtualHost>

Ensure the ports used to access the application are allowed through the firewall:

firewall-cmd --zone=public --add-port=443/tcp --permanent

firewall-cmd --reload

You should then run the installation script /etc/local/Secunia/csi/install/ installationProcess.sh again.

You must answer the installation routine questions as you go through the script steps, as follows:

Question Answer
Will you use SSL? Y
Do you want SVM Agents to use a different port Y
What port do you want to use? 443
Ready to perform the database schema upgrade? Y
SC2012 plugin? Y
Would you like to go through the configuration? Y
Will you use SSL? Y


Disable Ordinary HTTP://

Simply delete or move /etc/httpd/conf.d/secunia-csi-httpd.conf:

mv /etc/httpd/conf.d/secunia-csi-httpd.conf /tmp/secunia-csi-httpd.conf.obsolete

And then restart httpd to reflect the changes:

systemctl restart httpd.service

LDAPS Support

To use LDAPS, you should specify the LDAP host URL instead of just the server name or the IP address in /usr/local/Secunia/config.ini file. When a URL is used, the port will be ignored by the ldap_connect() function. To configure for LDAPS support in config.ini:

LDAP_HOST = 'ldaps://server_ip:636'

The port will be ignored because the host is a URL LDAP_PORT = ''

Additional Information

This information pertains to all Linux editions of SVM On-Prem Server.

Was this article helpful? Yes No
No ratings
Version history
Revision #:
3 of 3
Last update:
‎Sep 19, 2019 05:26 PM
Updated by:
 
Contributors