https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1901294#M1999 <P>When I check the processes on the container there is simple the start_replicate.sh and repctl. What exactly is acting as the web server to allow users to view the replicate UI?</P> Fri, 04 Mar 2022 15:06:52 GMT Vegy 2022-03-04T15:06:52Z https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1898877#M1962 <P>Hi,</P> <P>I've already raised a ticket (2..) around this so just looking for some more informal discussion around this scenario and potential fixes.</P> <P>We run Replicate (7.0.0.514 atm but upgrade coming shortly) on Centos 7 in a bespoke docker built container. We interact with Replicate via the Linux UI from windows machines. Installing the UI on a Windows Machine (or QEM) is not an option at the moment.</P> <P>Support suggest we disable Secure Renegotiation via the OS properties but I am struggling to see how. If we exclude the options of using a different OS (Centos 7 supposed TLS 1.2 / OpenSSL 1.0.1 only) I believe we can only achieve this by disabling it in the java system properties.</P> <P>However, the only process that is running (outside of the entrypoint start_replicate.sh) is repctl. I can't actually see java running at all, so I can only presume that anything related to java is actually compiled within repctl.</P> <P>What this also means is I can't truely understand how I would pass any options to affect java use by repctl within the container.</P> <P>I've tried changing the two java.security files that I can see, one being under the replicate installation path (opt/attunity/replicate/jvm/conf/security/java.security), and the other under the standard java installation path (/usr/lib/jvm/java-11-openjdk-11.0.14.0.9-1.el7_9.x86_64/conf/security/java.security). I've added&nbsp;jdk.tls.rejectClientInitiatedRenegotiation=true to both these files as part of my image build, so that when repctl is actually started these options already exist.</P> <P>I've also setting the env JAVA_OPTS to include -Djdk.tls.rejectClientInitiatedRenegotiation=true, as well as passing this value as part of the call to start repctl.</P> <P>None of these have been successful.&nbsp;</P> <P>Would appreciate any advice?&nbsp;</P> <P>Cheers</P> <P>Veg</P> Tue, 01 Mar 2022 17:53:25 GMT https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1898877#M1962 Vegy 2022-03-01T17:53:25Z https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1898924#M1971 <P>I am not sure i understand the issue, what is the issue, it is the certificate error or what is the issue here ?</P> Tue, 01 Mar 2022 19:49:37 GMT https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1898924#M1971 Steve_Nguyen 2022-03-01T19:49:37Z https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1899199#M1978 <P>Hi, the issue is that the Replicate UI in our environment has a DOS vulnerability as described here&nbsp;<A href="https://datatracker.ietf.org/doc/html/rfc5746" target="_blank">RFC 5746 - Transport Layer Security (TLS) Renegotiation Indication Extension (ietf.org)</A></P> <P>I appreciate that our UI is internal facing only, but we still need to satisfy internal Security signoff.</P> <P>Whilst we could rebuild our container to use a different Distro I want to be absolutely sure that disabling Secure Renegotiation is not possible with what we have.</P> <P>Cheers</P> <P><BR />Veg</P> Wed, 02 Mar 2022 10:03:11 GMT https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1899199#M1978 Vegy 2022-03-02T10:03:11Z https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1899307#M1980 <P>if you already have a case open then best to work with case for more information.</P> <P>As this relate to security and reconfiguration of your OS, best to work with support on your open case.</P> Wed, 02 Mar 2022 13:00:09 GMT https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1899307#M1980 Steve_Nguyen 2022-03-02T13:00:09Z https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1899396#M1981 <P>As Steve indicates, the support case is probably the most solid road to useful statement for your security team.</P> <P>My expectation, not that that has any value in this, is that the result will be a statement that Replicate does not care in the least about this, has not influence, cannot control. It sits a one level above all the SSL details and is&nbsp; just ready to accept a TCP commands coming in over a secure port.&nbsp; And there is no java used in this context here either. The only javascript in the Replicate server is for a few endpoint definitions. This is all browser/webserver controlled best I know.</P> <P>fwiw,</P> <P>Hein</P> Wed, 02 Mar 2022 14:44:54 GMT https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1899396#M1981 Heinvandenheuvel 2022-03-02T14:44:54Z https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1901294#M1999 <P>When I check the processes on the container there is simple the start_replicate.sh and repctl. What exactly is acting as the web server to allow users to view the replicate UI?</P> Fri, 04 Mar 2022 15:06:52 GMT https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1901294#M1999 Vegy 2022-03-04T15:06:52Z https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1915455#M2331 <P>@<SPAN style="background-color:rgb(255,255,255);color:rgb(46,46,46);font-size:13px;"><STRONG>Vegy , best to open a support ticket to have in depth information about Linux Replicate UI</STRONG></SPAN></P> Wed, 06 Apr 2022 17:34:12 GMT https://community.qlik.com/t5/Qlik-Replicate/Replicate-on-Centos-7-Disabling-Secure-Renegotiation/m-p/1915455#M2331 Steve_Nguyen 2022-04-06T17:34:12Z