Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).

    Posted 06-04-2024 07:28

    Hi,

    My client did vulnerability scan that picked up the Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).

    How do i go and resolve this?

    #DAM

    #ssl


    #DatabaseActivityMonitoring

    ------------------------------
    Agustin Cudiamat
    Engineer
    Singapore
    ------------------------------


  • 2.  RE: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).

    Posted 06-05-2024 08:28

    Hello Agustin,

    Thank you for the post, Based on our case description, you are inquiring about self signed certificate vulnerability on port 443 for DAM GW.
     
    DAM GW can only be accessed through CLI, the Gateway generates its own certificate each time it restarts, this certificate is required for MX and GW communication.
    This certificate is for the management interface of the gateway and it is not accessible by external users, hence there should be no impact.


    The TCP listener on port 443 at gateway where this vulnerability has been identified is for communication from Management server to gateway only. Since the gateway only registers with one management server, no other machine can communicate with the gateway on this port.

    However, if you still want to update it with signed cert, below are the details, 

    The path to check the gateway certificate.

    The gateway holds a key-pair (Private and public key) in the:

    • /opt/SecureSphere/etc/key.pem
    • /opt/SecureSphere/etc/gw_self_signed_cert.crt

    Implementation: 

    The bootstrap.xml file has a field - 'signed-crt'="false"

    When this field is false the gateway acts like it always acted - Every new register the gateway will create his own new private and public keys.

    This solution enables the customer to activate/disable the CA signed certificate capability.

    Enable the feature:

    Run the command: gateway must be registered.

    1. impctl teardown
    2. impctl platform signed-crt enable --key=<full path> --certificate=<full path> [--key-password=<password>]
    3. impctl boot;

    The key-size here can be a different value than 2048bits! After you do this the gateway will work with the new private and public keys that you added.

    Disable the feature:

    1. impctl teardown
    2. impctl platform signed-crt disable
    3. Impctl boot

    If the gateway was registered, it will remain registered.
    If the gateway wasn't registered, it will remain not registered.

    Hope this answers your query.



    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------



  • 3.  RE: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).

    Posted 06-06-2024 05:29
    Edited by Agustin Cudiamat 06-06-2024 05:49

    Hi Syed,

    Thank you for this and noted on thhe workaround above.

    Regarding the tcp port 443 being flag, is this a known issue? And should we be updating the ssl cert config to ensure the generated cert works for GW appliance? 

    And one more question, for 

    1. impctl platform signed-crt enable --key=<full path> --certificate=<full path> [--key-password=<password>]

    What details should i input in the command above? <full path> and <password> or I just run the command above?

    Thank in advance!

    ------------------------------
    Agustin Cudiamat
    Field Engineer
    Singapore
    ------------------------------



  • 4.  RE: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).

    Posted 06-06-2024 09:44

    Hello Agustin,

    Its not an issue, this is how gateway it works/configured by default, as explained earlier 443 port its only used MX to GW communication not for outside/internet communication.

    Regarding the 1st query, you need to give the path where the key and Signed cert is saved on the gateway.



    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------



  • 5.  RE: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).

    Posted 06-09-2024 22:18
    Edited by Agustin Cudiamat 06-09-2024 22:18

    Hi Syed,

    After enabling the feature, do I need to generate the cert for the GW and what is the steps?


    Thank you. 
    ------------------------------
    Agustin Cudiamat
    Field Engineer
    Singapore
    ------------------------------



  • 6.  RE: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).

    Posted 06-10-2024 00:44

    Hi Agusting,

    The steps has the details where we need to point the CA cert and the key, you need to have the CA cert and key and then follow the steps, as you are not using the default cert of the gateway.



    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------



  • 7.  RE: Imperva DAM Gateway ssl certificate cannot be trusted (tcp, port 443).

    Posted 07-01-2024 00:52

    Hi syed,

    After i run this command, 

    # impctl platform signed-crt enable --key=<full path> --certificate=<full path> [--key-password=<password>]

    It prompt me Illegal sub-Command "impctl platform signed-crt enable --key=<full path> --certificate=<full path>" (exit status: 1)

    For the portion on [--key-password=<password>], this <password>, should it be the passphrase that i used during the key generation?



    ------------------------------
    Agustin Cudiamat
    Field Engineer
    Singapore
    ------------------------------