Existing partner, login to
Partner Portal

Discussion Forum

FAQ: How to disable SSL v3 on AhsayOBS, AhsayRDR and AhsayRPS? (3168)

FAQ: How to disable SSL v3 on AhsayOBS, AhsayRDR and AhsayRPS? (3168)

Postby admin » Tue Oct 28, 2014 4:27 pm

Article ID: 3168
Reviewed: 04/11/2014

Product Version:
AhsayOBS / AhsayRPS / AhsayRDR: Pre-7.3.2.0
OS: All platforms

Description:
This article describes how to upgrade your on AhsayOBS, AhsayRDR, and, AhsayRPS servers to resolve the SSL v3 POODLE vulnerability.

For partners using AhsayOBS, AhsayRDR and AhsayRPS version pre-6.21.2.0, this could potentially expose users connecting to AhsayOBS / AhsayRDR / AhsayRPS web management console using older browser versions, for example, Internet Explorer version 6 to a MITM attack (Man In the Middle) as a result of the SSL v3 POODLE vulnerability.

For AhsayOBM / AhsayACB starting from version 6.21.2.0 onwards, all coding related to SSL have been removed to protect client computers from this vulnerability.

The entire process of disabling SSL v3 on AhsayOBS, AhsayRDR and AhsayRPS requires three separate stages:

  1. Upgrading all AhsayOBS, AhsayRDR and AhsayRPS servers to version 6.21.2.0 or above, which support disabling of SSL v3.
  2. Upgrading all AhsayOBM and AhsayACB clients to version 6.21.2.0 or above, which has all vulnerable SSL related code removed.
  3. Disabling SSL v3 on AhsayOBS, AhsayRDR and AhsayRPS services.

General Guideline:


Important Note:
After SSL v3 is disabled on AhsayOBS or AhsayRDR, all client applications on version pre-6.21.2.0 will not be able to connect to AhsayOBS via HTTPS protocol. This is because, AhsayOBM / AhsayACB version pre-6.21.2.0 clients, although connect to AhsayOBS / AhsayRDR using TLSv1 but during the initial connection handshake SSL is used.

As an example, after disabling SSL v3 on your AhsayOBS, clients on AhsayOBM version 5.5.8.0 will not be able to connect to the backup server via HTTPS, they will need to upgrade to version 6.21.2.0 in order to connect via HTTPS (they will still be able to connect via HTTP).

For partners with customer on older operating system platforms (e.g. AhsayOBM / AhsayACB cannot be upgraded to 6.21.2.0 or above), Click Here for instruction on how to enable SSL v3 for specific port to allow HTTPS connection from backup clients on an older operating system platforms.

For AhsayOBS servers with replication enabled, both the AhsayOBS and AhsayRPS must be on version 6.21.2.0 or above. Otherwise, replication will not work, as AhsayOBS connects to AhsayRPS via HTTPS, a connection cannot be established if they are not on version 6.21.2.0 or above.



Steps:
This document contains the information of how to disable SSL v3 on AhsayOBS, AhsayRDR and AhsayRPS.


Table of Contents:


How to disable SSLv3 for new installation of AhsayOBS, AhsayRDR and AhsayRPS:

  • Non-branded installation of AhsayOBS, AhsayRDR and AhsayRPS

    For new installation of AhsayOBS, AhsayRDR and AhsayRPS version 6.21.2.0 or above, that is installed with the executable / tarball downloaded from the Ahsay website ( http://www.ahsay.com ), SSLv3 is disabled by default, no further step is required.


  • Branded installation of AhsayOBS, AhsayRDR and AhsayRPS

    For new installation of AhsayOBS, AhsayRDR and AhsayRPS version 6.21.2.0 or above, that is installed with the executable / tarball downloaded from the Ahsay Customization Portal ( http://partners.ahsay.com ), refer to the following steps to disable SSLv3:

    1. Edit the server.xml file found under ${Install-Home}\conf

      • Open 'server.xml' with a text editor:

        server.xml
        ...
         - <Service name="Tomcat-Standalone">
              <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
                minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
                ...
              <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
                minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
                acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" ...
                ...
                sslProtocol="TLS" />
         ...


      • Update the HTTPS connector, modify the value from:

        sslProtocol="TLS"

        to

        sslProtocols="TLSv1"

        Important Note:
        Pay extra attention to the attribute name 'sslProtocols', there is an extra s character at the end of the attribute name:


        e.g. From sslProtocol="TLS" to sslProtocols="TLSv1"

        server.xml (Updated)
        ...
         - <Service name="Tomcat-Standalone">
              <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
                minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
                ...
              <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
                minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
                acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" ...
                ...
                sslProtocols="TLSv1" />
         ...


      • Save and exit from the text editor.

    2. Restart the AhsayOBS, AhsayRDR or AhsayRPS service by:

      • (Windows) [ Control Panel ] > [ Administrative Tools ] > [ Services ] > [ Ahsay Offsite Backup Server and Replication Server / Ahsay Redirector ]

      • (Linux) Run [ ${Install-Home} / bin / startup.sh ]

How to disable SSLv3 for existing installation of AhsayOBS, AhsayRDR and AhsayRPS:

The steps to disable SSLv3 for branded and non-branded installation of AhsayOBS, AhsayRDR and AhsayRPS are exactly the same.

Refer to the following steps to disable SSLv3 on your AhsayOBS, AhsayRDR and AhsayRPS:

  1. Upgrade AhsayOBS / AhsayRPS / AhsayRDR to version 6.21.2.0 or above, with instructions provided in the following KB articles:

    FAQ: How to install the latest patch set or hotfixes for AhsayOBS or AhsayRPS? (2435)
    FAQ: How to install the latest patch set or hotfixes for AhsayRDR? (2578)


  2. Upgrade all AhsayOBM / AhsayACB clients to version 6.21.2.0 or above:


  3. Ensure that all backup client applications are upgraded to version 6.21.2.0 or above.

    Login to the AhsayOBS web management console, select Manage Log, then Backup Job. For backup accounts with backup jobs performed, their connected AhsayOBM / AhsayACB version will be listed.


  4. Edit the server.xml file found under ${Install-Home}\conf

    • Open 'server.xml' with a text editor:

      server.xml
      ...
       - <Service name="Tomcat-Standalone">
            <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              ...
            <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" ...
              ...
              sslProtocol="TLS" />
       ...


    • Update the HTTPS connector, modify the value from

      sslProtocol="TLS"

      to

      sslProtocols="TLSv1"

      Important Note:
      Pay extra attention to the attribute name 'sslProtocols', there is an extra s character at the end of the attribute name:


      e.g. From sslProtocol="TLS" to sslProtocols="TLSv1"

      server.xml (Updated)
      ...
       - <Service name="Tomcat-Standalone">
            <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              ...
            <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" ...
              ...
              sslProtocols="TLSv1" />
       ...


    • Save and exit from the text editor.

  5. Restart the AhsayOBS, AhsayRDR or AhsayRPS service by:

    • (Windows) [ Control Panel ] > [ Administrative Tools ] > [ Services ] > [ Ahsay Offsite Backup Server and Replication Server / Ahsay Redirector ]

    • (Linux) Run [ ${Install-Home} / bin / startup.sh ]


How to disable SSLv3 for AhsayPRD:

Important Note:
Before upgrading AhsayPRD, ensure that all AhsayOBS / AhsayRDR / AhsayRPS servers, and AhsayOBM / AhsayACB clients are upgraded to version 6.21.2.0 or above. After the upgrade, all client applications on version pre-6.21.2.0 will not be able to connect to the backup server via HTTPS protocol.

For example, after the upgrade, clients on AhsayOBM version 5.5.8.0 will not be able to connect to the backup server via HTTPS, they will need to upgrade to version 6.21.2.0 in order to connect via HTTPS (they will still be able to connect via HTTP).



Refer to the following steps to disable SSLv3 on your AhsayPRD:

  1. Download the latest version of AhsayPRD by Clicking Here.

  2. Extract the installation files to ${PRD_HOME_NEW} (this folder will be your AhsayPRD installation home).

  3. Stop the AhsayPRD service by:

    [ Control Panel ] > [ Administrative Tools ] > [ Services ] > [ Ahsay Proxy Redirector ]

  4. Uninstall the AhsayPRD service by executing the uninstall-service.bat batch file.

     >uninstall-service.bat

  5. Copy the httpd.conf file from the existing AhsayPRD installation folder to the new installation:

    ${PRD_HOME}\conf\httpd.conf

    to

    ${PRD_HOME_NEW}\conf

  6. Copy all related cert or private key files to ${PRD_HOME_NEW}\conf

  7. Backup the existing AhsayPRD installation folder by renaming ${PRD_HOME} folder to ${PRD_HOME.BAK}

  8. Rename the ${PRD_HOME_NEW} folder back to the original installation folder name ${PRD_HOME}

  9. Execute the install-service.bat batch file to install the AhsayPRD service again.

     >install-service.bat


How to disable SSLv3 for AhsayOBS and AhsayRPS installation on AhsayUBS:

The steps to disable SSLv3 for branded and non-branded installation of AhsayOBS and AhsayRPS on AhsayUBS are exactly the same.

Refer to the following steps to disable SSLv3 on your AhsayOBS and AhsayRPS:

  1. Upgrade AhsayUBS to version 2.21.2.0 or above, with instructions provided in the following KB articles:

    FAQ: How to install the latest patch set or hotfixes for AhsayUBS? (2463)


  2. Upgrade all AhsayOBM / AhsayACB clients to version 6.21.2.0 or above:


  3. Ensure that all backup client applications are upgraded to version 6.21.2.0 or above.

    Login to the AhsayOBS web management console, select Manage Log, then Backup Job. For backup accounts with backup jobs performed, their connected AhsayOBM / AhsayACB version will be listed.


  4. Shutdown the AhsayOBS and AhsayRPS service via the AhsayUBS console:

    ubs-upgrade.PNG


  5. Start the SSHD module via the AhsayUBS console:

    ubs-upgrade4.PNG


  6. SSH to the AhsayUBS with the following login credentials:

    Username: root
    Password: ahsayubs


  7. Access the AhsayOBS server files, grant write permission:

     >mount -uw /ubs/mnt/esfmfw


  8. Edit the server.xml file found under /ubs/mnt/esfmfw/obsr/system/conf

    • Open 'server.xml' with a text editor such as vi:

      server.xml
      ...
       - <Service name="Tomcat-Standalone">
            <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              ...
            <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" ...
              ...
              sslProtocol="TLS" />
       ...


    • Update the HTTPS connector, modify the value from

      sslProtocol="TLS"

      to

      sslProtocols="TLSv1"

      Important Note:
      Pay extra attention to the attribute name 'sslProtocols', there is an extra s character at the end of the attribute name:


      e.g. From sslProtocol="TLS" to sslProtocols="TLSv1"

      server.xml (Updated)
      ...
       - <Service name="Tomcat-Standalone">
            <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              ...
            <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...
              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...
              acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" ...
              ...
              sslProtocols="TLSv1" />
       ...


    • Save and exit from the text editor.

  9. Re-boot the AhsayUBS machine afterward via the AhsayUBS console:

    ubs-upgrade6.png


Keywords:
sslv3, SSL, https, http, v3, POODLE, poodle
admin
Site Admin
 
Posts: 959
Joined: Mon Jul 10, 2006 3:19 pm

Return to SSL / Security

Who is online

Users browsing this forum: No registered users and 0 guests

Looking for Rbackup Alternative | Vembu Alternative | Novastor Alternative | Asigra Alternative | BackupAgent Alternative? Try our product.


A wholly owned subsidiary of Ahsay Backup Software Development Company Limited  [HKEx Stock Code: 8290]