Troubleshooting
Problem
In order to address an SSLv3 (Secure Socket Layer) protocol vulnerability referred to as a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, the SSLv3 protocol version has been now disabled for IBM Rational ClearQuest LDAP (Lightweight Directory Access Protocol) authentication using SSL.
Symptom
To address this vulnerability, starting in 7.1.2.16, 8.0.0.13, and 8.0.1.6, SSLv3 protocol version is disabled by ClearQuest and LDAP authentication will fail if its attempted.
If you use SSLv3 exclusively through your LDAP provider, authentications / logins will now fail (as of version 7.1.2.16, 8.0.0.13, and 8.0.1.6) with the generic message:
Invalid Credentials: Either the login name or the password is incorrect.
Diagnosing The Problem
ClearQuest user authentication is not vulnerable to the POODLE attack if:
- User authentication with LDAP has not been configured for ClearQuest
or - User authentication with LDAP is not configured to use SSL (unencrypted authentication, and thus insecure anyway) [not recommended]
or - User authentication with LDAP is configured to use Transport Layer Security (TLS) which is available only in version 8.0.1 or higher.
or - User authentication with LDAP utilizes an LDAP provider in which the organization's LDAP administrator has confirmed that SSLv3 support is disabled.
Resolving The Problem
You are urged to consult your organization's LDAP provider administrator as well as the documentation from your LDAP provider vendor on how to configure/enable more secure protocols, and to explicitly disable SSLv3 support on your LDAP provider.
For IBM Tivoli Directory Server (LDAP provider) - review security bulletin 1687611: Security Bulletin: Vulnerability in SSLv3 affects Directory Server (CVE-2014-3566) for more details.
If you use ClearQuest 8.0.1, you may configure LDAP user authentication with TLS which is secure. Review technote 1646724: Configuring IBM Rational ClearQuest with LDAP user authentication for TLS 1.2 or TLS 1.1 to support NIST SP 800-131A guidelines for more details.
If it is necessary for your LDAP/SSL configuration to continue using SSLv3 even given this vulnerability, please contact Rational Customer Support for further instruction, and reference this technote.
Note: Other product features may be vulnerable to a POODLE attack where SSL is used, such as IBM HTTP Server (IHS) and IBM WebSphere Application Server (WAS).
Internal Use Only
Re-enabling SSLv3 for LDAP within ClearQuest:
If it is necessary for your LDAP/SSL configuration to continue using SSLv3 even given this vulnerability, then it can be re-enabled by setting a ClearQuest behavior flag.
Please document in writing in the PMR and by telephone or electronic correspondence that:
| Disclaimer:
[Company] has been advised that re-enabling ClearQuest support for LDAP with SSLv3 protocol is unsupported, exposes the organization and users to the POODLE vulnerability in which credentials may be compromised, and it is against the advise of IBM Rational Client Support. Further, you have been provided methods for securing your environment that you are [unable or unwilling] to implement at this time. Re-enabling LDAP with SSLv3 support is being provided as a temporary insecure workaround to address the critical authentication outage until a supported and secure LDAP authentication manner can be implemented. |
Steps to re-enable LDAP with SSLv3 (insecure):
LDAP with insecure support for SSLv3 can be re-enabled by setting a ClearQuest behavior flag ALLOW_LDAP_SSLV3=1.
This behavior flag will need to be set on every workstation and CQ Web CM Server host requiring access using LDAP with SSLv3 support.
To set the ALLOW_LDAP_SSLV3 behavior flag in the local environment where the ClearQuest core resides, either:
Windows:
- Modify the Microsoft Windows ClearQuest diagnostic registry key to have the value ALLOW_LDAP_SSLV3=1. Modification of the Windows registry is at your own risk. Consider taking a backup first.
For example:
Access the Start menu option "Run", and type regedit
- Create this registry key, if it does not already exist:
HKEY_CURRENT_USER\Software\Rational Software\ClearQuest\Diagnostic
- HKEY_CURRENT_USER is for thick clients, to affect the ClearQuest Web client, you must modify this registry hive on the Change Management Server host instead:
HKEY_USERS\.DEFAULT\Software\Rational Software\ClearQuest\Diagnostic
- In that key, create a String with the name BEHAVIOR.
- The value of BEHAVIOR should be "ALLOW_LDAP_SSLV3=1".
- Restart the client.
- To rapidly deploy create a .reg file:
ALLOW_LDAP_SSLV3_re-enable.reg:
| REGEDIT4 [HKEY_CURRENT_USER\Software\Rational Software\ClearQuest\Diagnostic] "BEHAVIOR"="ALLOW_LDAP_SSLV3=1" [HKEY_USERS\.DEFAULT\Software\Rational Software\ClearQuest\Diagnostic] "BEHAVIOR"="ALLOW_LDAP_SSLV3=1" |
Double-click the .reg file and accept changes to the Windows registry to implement this content.
Note:
HKEY_CURRENT_USER is for thick client access behavior.
HKEY_USERS\.DEFAULT is for CQ Web client access behavior.
- To rapidly disable, create a .reg file:
ALLOW_LDAP_SSLV3_disable.reg:
| REGEDIT4 [HKEY_CURRENT_USER\Software\Rational Software\ClearQuest\Diagnostic] "BEHAVIOR"="" [HKEY_USERS\.DEFAULT\Software\Rational Software\ClearQuest\Diagnostic] "BEHAVIOR"="" |
ALLOW_LDAP_SSLV3=0
Linux/UNIX/command line, prior to invoking the CQ core:
For a system where the ClearQuest core resides, set the Environment Variable:
CQ_DIAG_BEHAVIOR="ALLOW_LDAP_SSLV3=1"
For example:
export CQ_DIAG_BEHAVIOR="ALLOW_LDAP_SSLV3=1"
Use regedit to modify the registry key
HKEY_CURRENT_USER\Software\Rational Software\ClearQuest\Diagnostic
"Name"=""
"BEHAVIOR"="ALLOW_LDAP_SSLV3=1"
(or, if appropriate, alternatively modify the key and value in HKEY_USERS or HKEY_LOCAL_MACHINE instead)
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21689920