B2Bi 22.214.171.124 release updates SSL+RMI.
Security update and enhancing the RMI communication with SSL
What is RMI?
RMI (Remote Method Invocation) is an API that provides a mechanism to create distributed application in java.
It allows an object to invoke methods on an object running in another JVM.
- Customer reported vulnerabilities due to plain sockets.
- Remote code Execution.
How RMI is used inside SI?
- RMI registry is accessed by JNDI (Java Naming and Directory Interface).
- JNDI API takes care of STUB creation for Client side.
- The Server Hosts object using RMI socketFactories and Registers the object inside JNDI tree.
- Ops server performs jndi.lookupRmi() method to look for RMI object inside JNDI Tree.
- If the Object is present in JNDI tree then the subsequent node shows available in OPS_NODE_INFO table.
SSL implementation on RMI
- Controlled by a new Property in security.properties
- useSSLforRMI=true/false (Default is false)
- For object Declaration Client and Server Sockets are used.
- By Default SI had Plain text socket.
- Based on the value of flag SSL sockets are used.
- SSL sockets use protocol TLSv1.2.
OCP is not covered yet, will be covered in future release.
Flag Based Control
- If “useSSLforRMI=false” the ops server can communicate to RMI object servers on plain text socket.
- If “useSSLforRMI=true” the ops server will use SSL client socket and will be able to communicate
to RMI object servers having SSL server sockets.
- Secure communication between Ops server and other JVM (ASI, Liberty, Adapter Container).cLISTNODESTATUS
Sample ops command:
- ./opscmd.sh –nnode1 –cISUP
- ./opscmd.sh –nnode1 – cCHECKJNDI
- ./opscmd.sh –nnode1 – cLISTNODESTATUS
SSL Certificate Configuration
- Certificate (rmissl) gets created at install time as part of post install service routine.
- Once default cert is created, next upgrade will skip recreating it.
- Algorithm and key length used: RSA with 2048.
- Certificate stored in Database.
- Certificate adheres to NIST specifications.
Support for Custom Certificates
- The exiting certificate UI in dashboard can be used to create/update new certs with required specifications.
Methods to verify if SSL is enabled for RMI
- We can use open_SSLClient against the RMI port to validate the config. Configured certificate and TLS protocol value will be displayed with the below command. echo “” | openssl s_client -connect :.
- LOGs – system.log, ops.log, noapp.log. Additional loggings added for triaging SSLRMI related flows in DEBUG mode.
- Network trace can be captured against the specified Ports for RMI communication.
Haga clic en el siguiente botón para descargar este boletín en formato Pdf.