1 Reply Latest reply on May 9, 2021 10:01 PM by Syed Aziz

    Security On the PowerCenter 10.2HF2

    Jordan Abadie New Member

      Hello,

      We have security issues on the ports 10123 and 10127.

      10123 = administration console
      10127 = pmserver

      Is it possible to disable TLS 1.1 protocol support on ports 10123 and 10127?
      Is it possible to use only the TLS 1.2 protocol? If so, what are the actions to be taken?  Is it possible to disable the support for cipher-suites on ports 10123 and 10127?

      List of cipher-suites (Dsa_sha1 ;Ecdsa_sha1 ;Rsa_pkcs1_sha224 ;Dsa_sha224 ;Ecdsa_sha224 ;Dsa_sha256 ;Dsa_sh384 ;Dsa_sha512)

       

      The support of TLS 1.2 is tolerated by the good security practices, however the use of TLS 1.3 is recommended today.

       

      In advance, thank you for your answers.

       

      Best Regards.
      Jordan

       

        • 1. Re: Security On the PowerCenter 10.2HF2
          Syed Aziz Guru

          Hello Jordan,

           

          As of April 2021 (Informatica v10.5.0) TLS v1.3 is not supported. This version of the protocol is rather new, and will be considered for support for a later product release. No timeline, as of yet. No additional assessment is available.

           

          "infasetup.sh listDomainCiphers -l ALL" will allow you to verify the cipher list. 

           

          The following steps can be followed to disabled to disable TLS1 and TLS 1.1, and retain only TLS 1.2 for Informatica services:

           

          i) Shutdown domain(all nodes), and perform below changes

           

          ii)    Modify infaservice.sh to add -Dcom.informatica.ssl.EnabledProtocols=TLSv1.2 (or set it in the INFA_JAVA_OPTS environment variable where Xmx is an option defined. Search with "Xmx" in infaservice.sh file) - on all nodes.

          // This step instructs Informatica java services to use only TLS1.2 protocol and not any lower protocol

           

          iii)    Modify java/jre/lib/security/java.security and add TLS1 and TLSv1.1 in the jdk.tls.disabledAlgorithms (so that even if application intents, java will prevent it) - on all nodes.

          // This step helps all applications and processes using java to disable TLS1 and TLS1.1 protocols, so only TLS1.2 would be used.

           

          Look for "jdk.tls.disabledAlgorithms" in INFA_HOME/tomcat/bin/infaservice.sh file and update the entry as below:

           

          jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, \

              EC keySize < 224, TLSv1, TLSv1.1

           

          iv)    For Native applications like CPP, TLS1 and TLS1.1 ciphers can be turned off by executing the following commands (updatedomainciphers and updategatewaynode) in the format below :

           

          ./infasetup.sh updatedomainciphers -cbl TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA (from any one of the gatewaynode)

          ./infasetup.sh updategatewaynode -cbl TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA (should be done on all gateway nodes)

           

          // If there is any worker node in domain, use updateworkernode command and disable ciphers

          // Once completed, you may then verify the ciphers used by domain as below :

          ./infasetup.sh listDomainCiphers -l ALL -dc true

          // This will list default list, effective list and the ciphers that are blacklisted.

          // After blacklisting is done, to check what ciphers domain is configured/using, verify the effective list.

           

          v) To sync the nodemeta.xml ciphers and server.xml with effective ciphers list, use:

          ./infasetup.sh updategatewaynode -dn <DOMAINNAME>

          or

          ./infasetup.sh updateworkernode -dn <DOMAINNAME>

           

          vi) Clean up temp/cache files:

          INFA_HOME/tomcat/temp/<remove all files and directories>

           

          vii) Startup the domain.

           

          Anytime later, if Infomatica is upgraded, then disabling TLS1 and TLS1.1 is a manual activity that has to be performed on upgraded version.

           

          Best regards,

          Syed