Re: Newbie : HP Systems Mangement Homepage SSL Heartbleed bug; Cert regeneration (565 Views)
Reply
Visitor
aruntechie123
Posts: 3
Registered: ‎05-02-2014
Message 1 of 5 (684 Views)
Accepted Solution

Newbie : HP Systems Mangement Homepage SSL Heartbleed bug; Cert regeneration

[ Edited ]

Hello All,

 

I am new to managing a Windows Server environment which is a mix of Windows Server 2003/2008  (32/64 bit) versions.

 

Recently, several hundred servers had been detected with the Heartbleed bug on port 2381 which I beleive is related to SMH. The SMH version was 7.2.2 which HP recommeds to upgrade to 7.2.3.

 

Because of the priority, I quickly upgraded these to 7.2.3 by installing the suggested .exe on HP site :

http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay?javax.portlet.begCache...

 

The above fixed the vulnerability and produced clean scans.

 

I now wish to regenerate the certificates and am completely lost on how I should do that. As per the doc above,

 

"If it is suspected that a datacenter has been compromised by this security vulnerability, delete the SMH certificate or back it up by moving it to a private folder. The SMH certificate is located on each node of the datacenter, with the filenames cert.pem and file.pem, in folder C:\hp\sslshare. A new certificate will be created when the SMH service starts (at the end of the upgrade or new installation)."

 

Does the above mean that if simply delete cert.pem and file.pem and restart the SMH service, the certificates will be re-genreated and the issue is solved?

Or When it says  "(at the end of the upgrade or new installation)", does it mean that I have to reinstall 7.2.3?

 

(FYI, PKI is *not* being used in our environment.)

 

Please advise. Thanks.

Honored Contributor
Nelson Kaeppel
Posts: 951
Registered: ‎03-12-2003
Message 2 of 5 (665 Views)

Re: Newbie : HP Systems Mangement Homepage SSL Heartbleed bug; Cert regeneration

Yes - you are exactly right.  You can also use the SMH GUI to generate a CSR, grab the file from that same directory and sign it with your CA and then replace the file cert.pem with your new cert (use the same name).  Its a lot of work to provide custom certs for 100's of servers so I can see why nobody would want to do it and you are probably better off you doing the simpler method they provide (deleting the existing files and restarting the service).

 

Nelson

Honored Contributor
Nelson Kaeppel
Posts: 951
Registered: ‎03-12-2003
Message 3 of 5 (663 Views)

Re: Newbie : HP Systems Mangement Homepage SSL Heartbleed bug; Cert regeneration

Sorry, I just re-read you your post.  Here is what I would do:

 

Install latest SMH.  Do not install 7.3.2 on Windows 2003.  This breaks SMH as Windows 2003 does not support the the versionof PHP included in the SMH 7.3 familiy.  Use 7.2.3 for Windows 2003 and 7.3.2 for Windows 2008 and up.  This fixes the Heartbleed bug in HP SMH software.

 

Install latest VCAgent if you are using it.  You can use 7.3.2 version of the VCA for both Windows 2003 and 2008 and up servers.  This fixes the Heartbleed bug in the HP VCA software.

 

If you are worried your existing certificates have been comprimised, delete the certs as you outlined in your post and restart the SHM agent service to have them regenerated.  As you mentioned you are not using PKI you can ignore my earlier post regarding creating CSRs...and that is a lot of work anyways.

 

Hope this helps.

NK

Visitor
aruntechie123
Posts: 3
Registered: ‎05-02-2014
Message 4 of 5 (605 Views)

Re: Newbie : HP Systems Mangement Homepage SSL Heartbleed bug; Cert regeneration

Hello Nelson,

 

Many thanks for your advice.

I followed the steps you mentioned and received about 80% successful fixes (upgrades).

 

However, on about 20% of the servers, the scan script still reports "probably vulnerable" for heartbleed

(a) c:\hp\hpsmh\bin\smhlogreader --version displays 7.2.3.1
(b) c:\hp\hpsmh\bin\ssleay32.dll and libeay32.dll show Product version as "1.0.1c"
(c) c:\smh_installer.log  seems to indicate a successful upgrade. PFA.

 

(I have not updated the VCAgent for any as yet)

 

Please help.

Visitor
aruntechie123
Posts: 3
Registered: ‎05-02-2014
Message 5 of 5 (565 Views)

Re: Newbie : HP Systems Mangement Homepage SSL Heartbleed bug; Cert regeneration

Just FYI, once rebooted, it was fine.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.