05-02-2014 07:56 AM - last edited on 05-12-2014 01:07 AM by RASHMI
I am new to managing a Windows Server environment which is a mix of Windows Server 2003/2008 (32/64 bit) versions.
Recently, several hundred servers had been detected with the Heartbleed bug on port 2381 which I beleive is related to SMH. The SMH version was 7.2.2 which HP recommeds to upgrade to 7.2.3.
Because of the priority, I quickly upgraded these to 7.2.3 by installing the suggested .exe on HP site :
The above fixed the vulnerability and produced clean scans.
I now wish to regenerate the certificates and am completely lost on how I should do that. As per the doc above,
"If it is suspected that a datacenter has been compromised by this security vulnerability, delete the SMH certificate or back it up by moving it to a private folder. The SMH certificate is located on each node of the datacenter, with the filenames cert.pem and file.pem, in folder C:\hp\sslshare. A new certificate will be created when the SMH service starts (at the end of the upgrade or new installation)."
Does the above mean that if simply delete cert.pem and file.pem and restart the SMH service, the certificates will be re-genreated and the issue is solved?
Or When it says "(at the end of the upgrade or new installation)", does it mean that I have to reinstall 7.2.3?
(FYI, PKI is *not* being used in our environment.)
Please advise. Thanks.
Solved! Go to Solution.
05-02-2014 08:57 AM
Yes - you are exactly right. You can also use the SMH GUI to generate a CSR, grab the file from that same directory and sign it with your CA and then replace the file cert.pem with your new cert (use the same name). Its a lot of work to provide custom certs for 100's of servers so I can see why nobody would want to do it and you are probably better off you doing the simpler method they provide (deleting the existing files and restarting the service).
05-02-2014 09:05 AM
Sorry, I just re-read you your post. Here is what I would do:
Install latest SMH. Do not install 7.3.2 on Windows 2003. This breaks SMH as Windows 2003 does not support the the versionof PHP included in the SMH 7.3 familiy. Use 7.2.3 for Windows 2003 and 7.3.2 for Windows 2008 and up. This fixes the Heartbleed bug in HP SMH software.
Install latest VCAgent if you are using it. You can use 7.3.2 version of the VCA for both Windows 2003 and 2008 and up servers. This fixes the Heartbleed bug in the HP VCA software.
If you are worried your existing certificates have been comprimised, delete the certs as you outlined in your post and restart the SHM agent service to have them regenerated. As you mentioned you are not using PKI you can ignore my earlier post regarding creating CSRs...and that is a lot of work anyways.
Hope this helps.
05-11-2014 03:30 PM
Many thanks for your advice.
I followed the steps you mentioned and received about 80% successful fixes (upgrades).
However, on about 20% of the servers, the scan script still reports "probably vulnerable" for heartbleed
(a) c:\hp\hpsmh\bin\smhlogreader --version displays 126.96.36.199
(b) c:\hp\hpsmh\bin\ssleay32.dll and libeay32.dll show Product version as "1.0.1c"
(c) c:\smh_installer.log seems to indicate a successful upgrade. PFA.
(I have not updated the VCAgent for any as yet)