Qlik Community

Qlik Replicate

Discussion board for collaboration on Qlik Replicate.

Announcements
See why Qlik was recognized for the seventh year in a row – and discover how we can help you tackle your data integration challenges. Get the report
cancel
Showing results for 
Search instead for 
Did you mean: 
Vegy
Contributor II
Contributor II

Replicate on Centos 7 - Disabling Secure Renegotiation

Hi,

I've already raised a ticket (2..) around this so just looking for some more informal discussion around this scenario and potential fixes.

We run Replicate (7.0.0.514 atm but upgrade coming shortly) on Centos 7 in a bespoke docker built container. We interact with Replicate via the Linux UI from windows machines. Installing the UI on a Windows Machine (or QEM) is not an option at the moment.

Support suggest we disable Secure Renegotiation via the OS properties but I am struggling to see how. If we exclude the options of using a different OS (Centos 7 supposed TLS 1.2 / OpenSSL 1.0.1 only) I believe we can only achieve this by disabling it in the java system properties.

However, the only process that is running (outside of the entrypoint start_replicate.sh) is repctl. I can't actually see java running at all, so I can only presume that anything related to java is actually compiled within repctl.

What this also means is I can't truely understand how I would pass any options to affect java use by repctl within the container.

I've tried changing the two java.security files that I can see, one being under the replicate installation path (opt/attunity/replicate/jvm/conf/security/java.security), and the other under the standard java installation path (/usr/lib/jvm/java-11-openjdk-11.0.14.0.9-1.el7_9.x86_64/conf/security/java.security). I've added jdk.tls.rejectClientInitiatedRenegotiation=true to both these files as part of my image build, so that when repctl is actually started these options already exist.

I've also setting the env JAVA_OPTS to include -Djdk.tls.rejectClientInitiatedRenegotiation=true, as well as passing this value as part of the call to start repctl.

None of these have been successful. 

Would appreciate any advice? 

Cheers

Veg

Labels (1)
6 Replies
Steve_Nguyen
Support
Support

I am not sure i understand the issue, what is the issue, it is the certificate error or what is the issue here ?

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!
Vegy
Contributor II
Contributor II
Author

Hi, the issue is that the Replicate UI in our environment has a DOS vulnerability as described here RFC 5746 - Transport Layer Security (TLS) Renegotiation Indication Extension (ietf.org)

I appreciate that our UI is internal facing only, but we still need to satisfy internal Security signoff.

Whilst we could rebuild our container to use a different Distro I want to be absolutely sure that disabling Secure Renegotiation is not possible with what we have.

Cheers


Veg

Steve_Nguyen
Support
Support

if you already have a case open then best to work with case for more information.

As this relate to security and reconfiguration of your OS, best to work with support on your open case.

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!
Heinvandenheuvel
Creator III
Creator III

As Steve indicates, the support case is probably the most solid road to useful statement for your security team.

My expectation, not that that has any value in this, is that the result will be a statement that Replicate does not care in the least about this, has not influence, cannot control. It sits a one level above all the SSL details and is  just ready to accept a TCP commands coming in over a secure port.  And there is no java used in this context here either. The only javascript in the Replicate server is for a few endpoint definitions. This is all browser/webserver controlled best I know.

fwiw,

Hein

Vegy
Contributor II
Contributor II
Author

When I check the processes on the container there is simple the start_replicate.sh and repctl. What exactly is acting as the web server to allow users to view the replicate UI?

Steve_Nguyen
Support
Support

@Vegy , best to open a support ticket to have in depth information about Linux Replicate UI

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!