Re: ProCurve manager hardening - port 51111 (2179 Views)
Reply
Occasional Visitor
pgyuzelev
Posts: 1
Registered: ‎04-11-2014
Message 1 of 3 (2,211 Views)

ProCurve manager hardening - port 51111

[ Edited ]

Hello all,

 

During PCI audit we have such request from auditors:

 

xxx.xxx.xxx.xxx 51111 Unique Test   Issue: Weak hash algorithms active  Measure:  Use strong hash algorithms

 

xxx.xxx.xxx.xxx 51111 Unique Test   Issue: Weak encryption ciphers active Measure:  Deactivate weak ciphers

 

 

On this ports works PCM agent. According technical literature this alert is caused by self-signed certificate produced from PCM.

 

Do you have an information - is it possible to use external CA signed certificate for PCM agent?

 

Or can I request statement from HP that it is not possible to change and it is not an issue.

 

Thank you in advance!

 

P.S. This thread has been moved from ProCurve / ProVision-Based to  PCM. -HP Forum Moderator

 

 

 

 

 

 

             

Honored Contributor
Richard Brodie_1
Posts: 583
Registered: ‎10-09-2003
Message 2 of 3 (2,179 Views)

Re: ProCurve manager hardening - port 51111

It doesn't appear to support external certificates. If you update to the latest version and regenerate the certificate , it might generate a longer key/better algorithm by default. However I am only guesssing.

 

What I would do is:

 

1. If you have paid support, open a proper ticket. If you have the paid for PCM+, that is.

 

2. Consider a plan to migrate off PCM, as it's heading for EOL. I imagine the auditors will be less than happy if they find an issue with it and it's unsupported software.

 

 

Acclaimed Contributor
Dennis Handly
Posts: 25,058
Registered: ‎03-06-2006
Message 3 of 3 (2,160 Views)

Re: ProCurve manager hardening - port 51111

[ Edited ]

>this alert is caused by self-signed certificate produced from PCM.

 

Did it have any details about what was wrong?  Typically if there is an issue with self-signed vs CA, it would say that.

Not "weak hash algorithms" or "weak encryption ciphers".  A certificate does have a encryption key length but again, it ideally should mention that.

 

This means these are controlled by the software, not the certificate.

 

If you would like an analysis of your certificate, you can attach it on a reply.

 

>... it is not an issue.

 

I would assume it's an issue, unless your management network is behind a firewall.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.