Hardening of PMP SSL/TLS configuration

Hardening of PMP SSL/TLS configuration

My site is in the process of hardening all of our services that require authentication. I upgraded our PMP install to version 8.1 (8101) and I configured it with a globally trusted certificate.

I then ran a nmap scan against the install for the script ssl-enum-ciphers on the port 7272.  Much to my surprise, it reported back that SSLv3 ciphers are turned on.

The results were:
PORT     STATE SERVICE  VERSION
7272/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|     compressors:
|       NULL
|_  least strength: strong

I changed the server.xml file according to another PMP post recommendation:

To turn off SSL 3.0 on PMP

https://forums.manageengine.com/topic/how-to-configure-passwordmanager-pro-7-0-to-not-use-ssl3-poodle-attack

I did this and once the nmap is ran again the only protocol that shows is the TLSv1.0, which is better than having it respond to SSL 3.0.

PORT     STATE SERVICE  VERSION
7272/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Reading through the other product forums I found that by adding TLSv1, TLSv1.1, TLSv1.2 to the SSLprotocols= line we get the other flavors of TLS turned on..

  • stop the PMP service and take a backup of the server.xml file present in PMP/conf directory.
  • Edit this file with wordpad and look for the value   sslProtocol="TLS" .
  • Change it to  SSLProtocols="TLSv1,TLSv1.1,TLSv1.2"  and save the file.
    • NOTE THE SSLProtocol is now Plural (s) added to it. (This will disable SSLv3 in tomcat server)
  • Change it in both the lines you find in the file.
  • Then start the PMP service and you should be able to connect to the webpage.

I did this and get these results back.

PORT     STATE SERVICE  VERSION
7272/tcp open  ssl/http Apache Tomcat/Coyote JSP engine 1.1
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|     compressors:
|       NULL
|_  least strength: strong

So by making these changes it fixes the default build of having SSL 3.0 ciphers (old demoted ciphers) available and just leaving the more secure TLS running. I will be turning the older TLS's off shortly.

Hope this helps others in their quest of a better security posture for your organizations.

Regards,

--Forrest
        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial





                            Related Products