Original Message:
Sent: 06-10-2024 00:44
From: Syed Noor Fazal
Subject: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).
Hi Agusting,
The steps has the details where we need to point the CA cert and the key, you need to have the CA cert and key and then follow the steps, as you are not using the default cert of the gateway.
------------------------------
Syed Noor Fazal
Product Support Engineer
Original Message:
Sent: 06-09-2024 22:18
From: Agustin Cudiamat
Subject: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).
Hi Syed,
After enabling the feature, do I need to generate the cert for the GW and what is the steps?
Thank you.
------------------------------
Agustin Cudiamat
Field Engineer
Singapore
Original Message:
Sent: 06-06-2024 09:44
From: Syed Noor Fazal
Subject: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).
Hello Agustin,
Its not an issue, this is how gateway it works/configured by default, as explained earlier 443 port its only used MX to GW communication not for outside/internet communication.
Regarding the 1st query, you need to give the path where the key and Signed cert is saved on the gateway.
------------------------------
Syed Noor Fazal
Product Support Engineer
Original Message:
Sent: 06-06-2024 05:28
From: Agustin Cudiamat
Subject: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).
Hi Syed,
Thank you for this and noted on thhe workaround above.
Regarding the tcp port 443 being flag, is this a known issue? And should we be updating the ssl cert config to ensure the generated cert works for GW appliance?
And one more question, for
- impctl platform signed-crt enable --key=<full path> --certificate=<full path> [--key-password=<password>]
What details should i input in the command above? <full path> and <password> or I just run the command above?
Thank in advance!
------------------------------
Agustin Cudiamat
Field Engineer
Singapore
Original Message:
Sent: 06-05-2024 08:28
From: Syed Noor Fazal
Subject: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).
Hello Agustin,
Thank you for the post, Based on our case description, you are inquiring about self signed certificate vulnerability on port 443 for DAM GW.
DAM GW can only be accessed through CLI, the Gateway generates its own certificate each time it restarts, this certificate is required for MX and GW communication.
This certificate is for the management interface of the gateway and it is not accessible by external users, hence there should be no impact.
The TCP listener on port 443 at gateway where this vulnerability has been identified is for communication from Management server to gateway only. Since the gateway only registers with one management server, no other machine can communicate with the gateway on this port.
However, if you still want to update it with signed cert, below are the details,
The path to check the gateway certificate.
The gateway holds a key-pair (Private and public key) in the:
- /opt/SecureSphere/etc/key.pem
- /opt/SecureSphere/etc/gw_self_signed_cert.crt
Implementation:
The bootstrap.xml file has a field - 'signed-crt'="false"
When this field is false the gateway acts like it always acted - Every new register the gateway will create his own new private and public keys.
This solution enables the customer to activate/disable the CA signed certificate capability.
Enable the feature:
Run the command: gateway must be registered.
- impctl teardown
- impctl platform signed-crt enable --key=<full path> --certificate=<full path> [--key-password=<password>]
- impctl boot;
The key-size here can be a different value than 2048bits! After you do this the gateway will work with the new private and public keys that you added.
Disable the feature:
- impctl teardown
- impctl platform signed-crt disable
- Impctl boot
If the gateway was registered, it will remain registered.
If the gateway wasn't registered, it will remain not registered.
Hope this answers your query.
------------------------------
Syed Noor Fazal
Product Support Engineer
Original Message:
Sent: 06-04-2024 07:28
From: Agustin Cudiamat
Subject: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).
Hi,
My client did vulnerability scan that picked up the Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).
How do i go and resolve this?
#DAM
#ssl
#DatabaseActivityMonitoring
------------------------------
Agustin Cudiamat
Engineer
Singapore
------------------------------