Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Vegy
Contributor II
Contributor II
‎2022-03-01 12:52 PM

Replicate on Centos 7 - Disabling Secure Renegotiation

Hi,

I've already raised a ticket (2..) around this so just looking for some more informal discussion around this scenario and potential fixes.

We run Replicate (7.0.0.514 atm but upgrade coming shortly) on Centos 7 in a bespoke docker built container. We interact with Replicate via the Linux UI from windows machines. Installing the UI on a Windows Machine (or QEM) is not an option at the moment.

Support suggest we disable Secure Renegotiation via the OS properties but I am struggling to see how. If we exclude the options of using a different OS (Centos 7 supposed TLS 1.2 / OpenSSL 1.0.1 only) I believe we can only achieve this by disabling it in the java system properties.

However, the only process that is running (outside of the entrypoint start_replicate.sh) is repctl. I can't actually see java running at all, so I can only presume that anything related to java is actually compiled within repctl.

What this also means is I can't truely understand how I would pass any options to affect java use by repctl within the container.

I've tried changing the two java.security files that I can see, one being under the replicate installation path (opt/attunity/replicate/jvm/conf/security/java.security), and the other under the standard java installation path (/usr/lib/jvm/java-11-openjdk-11.0.14.0.9-1.el7_9.x86_64/conf/security/java.security). I've added jdk.tls.rejectClientInitiatedRenegotiation=true to both these files as part of my image build, so that when repctl is actually started these options already exist.

I've also setting the env JAVA_OPTS to include -Djdk.tls.rejectClientInitiatedRenegotiation=true, as well as passing this value as part of the call to start repctl.

None of these have been successful. 

Would appreciate any advice? 

Cheers

Veg

Labels (1)
Labels
2,299 Views
0 Likes
7 Replies
Steve_Nguyen
Support
Support
‎2022-03-01 02:49 PM

I am not sure i understand the issue, what is the issue, it is the certificate error or what is the issue here ?

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!
2,269 Views
Vegy
Contributor II
Contributor II
‎2022-03-02 05:03 AM
Author

Hi, the issue is that the Replicate UI in our environment has a DOS vulnerability as described here RFC 5746 - Transport Layer Security (TLS) Renegotiation Indication Extension (ietf.org)

I appreciate that our UI is internal facing only, but we still need to satisfy internal Security signoff.

Whilst we could rebuild our container to use a different Distro I want to be absolutely sure that disabling Secure Renegotiation is not possible with what we have.

Cheers


Veg

2,248 Views
0 Likes
Steve_Nguyen
Support
Support
‎2022-03-02 08:00 AM

if you already have a case open then best to work with case for more information.

As this relate to security and reconfiguration of your OS, best to work with support on your open case.

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!
2,240 Views
Heinvandenheuvel
Specialist II
Specialist II
‎2022-03-02 09:43 AM

As Steve indicates, the support case is probably the most solid road to useful statement for your security team.

My expectation, not that that has any value in this, is that the result will be a statement that Replicate does not care in the least about this, has not influence, cannot control. It sits a one level above all the SSL details and is  just ready to accept a TCP commands coming in over a secure port.  And there is no java used in this context here either. The only javascript in the Replicate server is for a few endpoint definitions. This is all browser/webserver controlled best I know.

fwiw,

Hein

2,234 Views
Vegy
Contributor II
Contributor II
‎2022-03-04 10:06 AM
Author

When I check the processes on the container there is simple the start_replicate.sh and repctl. What exactly is acting as the web server to allow users to view the replicate UI?

2,211 Views
0 Likes
Steve_Nguyen
Support
Support
‎2022-04-06 01:34 PM

In response to Vegy

@Vegy , best to open a support ticket to have in depth information about Linux Replicate UI

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!
2,142 Views
leebenjamin36
Contributor II
Contributor II
‎2023-01-17 04:18 AM

The first thing I would do in this case is check if Replicate has any built-in options or configurations to address this issue. It's possible that Replicate has a property or setting that can be adjusted to disable Secure Renegotiation. You may want to check their documentation or reach out to their support team for more information.
One more option to consider is reaching out to TuxCare. They offer support for various Linux distributions, and they may have more specific experience with this issue on Centos 7. They might be able to provide more guidance on how to disable Secure Renegotiation in your specific setup.

1,839 Views
0 Likes