Cannot Receive Events from Change Guardian After Upgrading to Sentinel 7.3.1

  • 7016811
  • 01-Sep-2015
  • 01-Sep-2015

Environment

NetIQ Change Guardian 4.0
NetIQ Change Guardian 4.1

Situation

Change guardian stops sending events to sentinel.
Change Guardian agent log show, when debug is enabled, shows the following messages:

09/01/15 09:26:24 5096 TID:4248 DEBUG
[query] HTTP: curl post failed: ret=35 (Unknown SSL protocol error in connection to 10.80.11.78:8443 )
09/01/15 09:26:24 5096 TID:4248 WARNING
[query] rest dispatcher XSAML authentication failed : [code: 0, http: 400]
09/01/15 09:26:24 5096 TID:4248 WARNING
[query] REST dispatcher failed to initialize authentication method xsaml
09/01/15 09:26:24 5096 TID:4248 ERROR
[query] cannot create dispatcher of type 'rest' with library 'vosrestdispatcher'
09/01/15 09:26:24 5096 TID:4248 DEBUG
adding result rec(sev:1, code:'ELQ0004', defaultText:'unable to instantiate %%0 event dispatcher to %%1', #insertStrings:2)
09/01/15 09:26:24 5096 TID:4248 DEBUG
arg 0: vosrestdispatcher:rest
09/01/15 09:26:24 5096 TID:4248 DEBUG
arg 1: https://10.80.11.78:8443/httpsink
09/01/15 09:26:24 5096 TID:4248 ERROR
[query] unable to create with dispatch method 'vosrestdispatcher:rest', URI 'https://10.80.11.78:8443/httpsink'
09/01/15 09:26:24 5096 TID:4248 DEBUG
[query] REST dispatcher constructor

Resolution

Until a fix is available from Change Guardian, you can perform the following steps:

WARNING:Performing this workaround overrides the fix for the Bar Mitzvah vulnerability specified in Section 1.2, Security Vulnerability Fixes.

  1. Log in as novell user and open the /etc/opt/novell/sentinel/3rdparty/jetty/jetty-ssl.xml file.

  2. Delete the following lines from the ExcludeCipherSuites list:

    <Item>SSL_RSA_WITH_RC4_128_SHA</Item>

    <Item>SSL_RSA_WITH_RC4_128_MD5</Item>

  3. Restart Sentinel.

  4. Restart the Change Guardian service in the Change Guardian agent computer.

Cause

As part of fixing the Bar Mitzvah vulnerability, Sentinel disabled the RC4 ciphers on SSL ports enabled for the Web server. However, Change Guardian uses RC4 ciphers to communicate with Sentinel. Therefore, Change Guardian can no longer communicate with Sentinel.


Additional Information