How to secure a GMS/Analyzer Web Server Service against weak ciphers and other vulnerabilities
03/26/2020
1,047 People found this article helpful
195,321 Views
Description
If your GMS/Analyzer server is publicly accessible, securing the web server service against weak ciphers and/or other vulnerabilities may be needed.
This article describes some basic steps to identify issues along with methods of mitigating such issues.
Resolution
Step 1:
Identify if any vulnerabilities due to weak ciphers or other known vulnernabilities exist currently on your GMS/Analyzer server.
The following utility can scan your web service by providing the server URL:
https://sslanalyzer.comodoca.com/
This screen shot shows the types of vulnerabilities that may be seen:

Analysis:


Step 2:
Modify server.xml file to limit the ciphers/protocols/features that may be causing issues.
a) In Windows - navigate to the following directory:
[installDir]:\GMSVP\Tomcat\conf\
b) Right-click the server.xml file and choose Edit.
c) Find the following connectors (two exist in Windows server.xml; Connector port may differ on your server):
<Connector port="443" address="0.0.0.0" minProcessors="5" redirectPort="" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="C:\GMSVP/conf/gmsvpserver.crt" SSLCertificateKeyFile="C:\GMSVP/conf/gmsvpserver.key" SSLPassword="value" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" />
<Connector port="443" address="[::]" minProcessors="5" redirectPort="" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="C:\GMSVP/conf/gmsvpserver.crt" SSLCertificateKeyFile="C:\GMSVP/conf/gmsvpserver.key" SSLPassword="value" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" />
d) Add the following values following the - secure="true" - value in the connector config:
SSLDisableCompression="true" SSLProtocol="TLSv1" SSLCipherSuite="ALL:!aNULL:!ADH:!eNULL:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:AES:AESGCM:!RC4:RSA:+HIGH:+MEDIUM:-LOW:!SSLv2:@STRENGTH"
Example of change:

Description of changes:
SSLDisableCompression="true" (Disables Compression, which is vulnerable to CRIME attack)
SSLProtocol="TLSv1" (Disables SSLv3 which is vulnerable to Poodle)
SSLCipherSuite="ALL:!aNULL:!ADH:!eNULL:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:AES:AESGCM:!RC4:RSA:+HIGH:+MEDIUM:-LOW:!SSLv2:@STRENGTH" (Disables weak ciphers)
e) Save chages to the server.xml file and restart the GMS/Analyzer server
How to Test:
Re-scan using the SSL Analyzer utility you prefer and verify changes:


Additional info:
When GMS is installed on Windows, you may see a Vulnerability listed for - Secure Renegotiation (Client-initiated).
This may not be fixed by applying changes in the article.
Tomcat does not see this issue as a specific vulnerability and no specific fix is listed.
For further info, refer to -
http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat
Related Articles
Categories
Was This Article Helpful?
YES
NO