SungHoon_Kim

Server has a weak, ephemeral Diffie-Hellman public key

Blog Post created by SungHoon_Kim Employee on Feb 1, 2016

Following is a screenshot from my Chrome when accessing AdminUI.

You will get this if you access the AdminUI, chrome has been updated and it does not like SSLv3 anymore.

 

Good thing is, we already have a KB article for this.

It needed some update so I just updated the article just now.

If the article is dated 2015 then it means the published content is not pushed out yet.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1346659.aspx

Diffie-Hellman key error with Firefox and Chrome browsers connecting to CA SSO Administrative UI

 

Diffie-Hellman key error with Firefox and Chrome browsers connecting to CA SSO Administrative UI

Document ID:  TEC1346659
Last Modified Date:  01/2/2016
Show Technical Document Details

 

 

Summary:

When using the Chrome or Firefox web browsers to connect to the CA SSO Administrative UI (WAMUI) the connection fails and the browsers return Diffie-Hellman key errors.

Examples:

---------------------------------------------------------------------------------------------------------------------------------------------

CHROME:

 

Error:

Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

Hide details

This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to set up a secure connection but, due to a disastrous misconfiguration, the connection wouldn't be secure at all!
In this case the server needs to be fixed. Google Chrome won't use insecure connections in order to protect your privacy.
Learn more about this problem.

---------------------------------------------------------------------------------------------------------------------------------------------

FIREFOX:

An error occurred during a connection to <hostName.domain.com>:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

---------------------------------------------------------------------------------------------------------------------------------------------

These Diffie-Hellman errors do not occur with Internet Explorer.


This issue is occurring in the default configuration of the underlying JBOSS application server,
which is bundled with the WAMUI as the 'WAMUI-Prereq".


SOLUTION

To resolve this JBOSS 'server.xml' will need to be manually modified.

1) Logon to the host running the Administrative UI.

2) Stop the CA SSO Administrative UI

 

    Stop the embedded JBOSS Server

 

    1. Logon to the host running the WAMUI

 

    Unix:

 

    2. Navigate to:

 

        <WAMUI Home>/CA/siteminder/adminui/bin/administrative_ui_install

 

    3. Run the following command:

 

        shutdown.sh

 

    Windows:

 

    2. Load services.msc

 

    3. Stop the "SiteMinder AdminUI" Service

 


3) Browse to the 'server.xml' file.

Default Path: siteminder/adminui/server/default/deploy/jbossweb.sar/server.xml

4) Copy the 'server.xml' and name the copy 'server.xml.<date>.BAK

5) Open the 'server.xml' file with a text editor.

6) Modify the "SSL Connector" section.


 

OLD VALUE:

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" connectionTimeout="20000" emptySessionPath="true" enableLookups="true" keyAlias="tomcat" keystoreFile="jsse.keystore" keystorePass="changeit" keystoreType="jks" maxHttpHeaderSize="10240" maxPostSize="0" maxSpareThreads="75" minSpareThreads="5" port="8443" protocol="HTTP/1.1" scheme="https" secure="true"/>


NEW VALUE:

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" connectionTimeout="20000" emptySessionPath="true" enableLookups="true" keyAlias="tomcat" keystoreFile="jsse.keystore" keystorePass="changeit" keystoreType="jks" maxHttpHeaderSize="10240" maxPostSize="0" maxSpareThreads="75" minSpareThreads="5" port="8443" protocol="HTTP/1.1" scheme="https" secure="true"/>

 

NOTE: It is suggested to manually modify the file, and check for any typographical errors.  Copy/Paste could include hidden chars which might impact performance.

7) Save the changes

8) Start the CA SSO Admin UI

9) Connect the Admin UI using either the Firefox or Chrome web browsers.

 

Stopped AdminUI Service.

Updated the server.xml file as below. (sslProtocols and the ciphers order)

Startup the AdminUI Service.

Access using chrome.

Now it does not show that error anymore. Above error is because the RootCA is not trusted.

If you click on "Advanced" link, you can proceed to the site.

 

Or, you can import the RootCA certificate to trust it and not get this warning ("Your connection is not private.").

 

If you click on the PADLOCK icon in the Address Bar(where the https is crossed out) then you will get information which protocol is currently in use.

Here you can see that this connection uses TLS 1.0.

 

More Info: Tech Tip - CA Single Sign-On:Administrative UI: Does the standalone Admin UI installation support TLSv1.2 ?

Outcomes