See also my previous blog: Installing SAP BI 4.1 SP01 on Red Hat Enterprise Linux 6.x Step-by-step
The Heartbleed Bug has generated a lot of discussion. In this Blog, I will go over what I know about Heartbleed based on my personal experience. Be advised that this blog is for informational use only and SAP BI Support has authored a KBA (pertaining to the BI Platform) will be continually updated with all of the knowledge we have around this topic. |
Official Heartbleed site | Heartbleed Bug |
CVE-2014-0160 | CVE -CVE-2014-0160 |
OpenSSL Advisory | https://www.openssl.org/news/secadv_20140407.txt |
Apache Tomcat Bugzilla BugID:56363 | Bug 56363 OpenSSL security advisory - Heartbleed bug |
Tomcat SSL how to | Apache Tomcat 6.0 (6.0.39) - SSL Configuration HOW-TO |
SAP BI Platform KBA |
The Heartbleed Bug is a serious vulnerability in certain versions of the OpenSSL cryptographic software library. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by vulnerable versions of OpenSSL. An attacker could then obtain encryption keys which will allow decryption of past and future traffic to protected sites.
Status of different versions:
Here is a breakdown of where SSL is leveraged in the BI platform:
Streamwork integration:XI3.1 and BI4.x includes redistributes OpenSSL 0.9.8 which is unaffected by heartbleed. in addition, this library is used only in situations where outbound connections with SAP Streamwork is leveraged. | |
Server to Server SSL (Corba)In situations were Corba SSL is enabled, the platform is utilizing an RSA implementation which is unaffected by heartbleed to provide secure SSL functions. This configuration is documented in the admin guide http://help.sap.com/businessobject/product_guides/sbo41/en/sbo41sp3_bip_admin_en.pdf | |
Tomcat SSLTomcat can use two different implementations of SSL:
According to Apache.org (via bugzillaID:56363): "The binary builds of Tomcat Native 1.1.24 - 1.1.29 have been compiled with an OpenSSL version vulnerable to Heartbleed, and are thus probably vulnerable." SAP provides a Tomcat binary release which integrates an OpenSSL library directly into Tomcat (APR/Native). This is disabled by default |
Since Tomcat can use these 2 SSL methods mentioned above (JSSE and APR), only the APR implementation may include this affected version of OpenSSL. For BI Platform, the out-of-the Box method to setup SSL on Tomcat leverages JSSE (JSSE is unaffected by heartbleed). While it is possible to enable APR and exploit the bundled tomcat, it is quite a few extra steps to enable APR and configure SSL.
Q: Where can I find this affected APR Binary?:
A: Check the Tomcat Native version (windows only). Cross reference this with:
Bug 56363 OpenSSL security advisory - Heartbleed bug:
*Note: for *nix systems, run ->"openssl version" and upgrade openssl as necessary.
Although you may have an affected binary, it doesn't yet indicate that you're using it.
Read on....
Q: So how do I know if my Tomcat SSL uses JSSE or APR?
A: Check your Tomcat logs and also SSL connector configuration:
Chances are that if you're using the Out-of the box tomcat provided by SAP BI, you're probably using JSSE.
Check your logs/stderr.log and determine which ProtocolHandler is running your SSL port.
Example:
INFO: Initializing ProtocolHandler ["http-bio-8443"]
From Apache.org reference: Apache Tomcat 7 Configuration Reference (7.0.53) - The HTTP Connector:
"The BIO and NIO connectors use the JSSE SSL whereas the APR/native connector uses OpenSSL. Therefore, in addition to using different attributes to configure SSL, the APR/native connector also requires keys and certificates to be provided in a different format."
Also its important to note that if the following message is found in stderr.log, Tomcat is not configured to load the native APR by default:
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Windows\SysWOW64\;C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\
There are a few ways to do this. Most of the utilities are developed or derived by: https://github.com/FiloSottile
*Note: I express no warranties about the reliability of these 3rd parties.
*Note: Only do this on a TEST system.
1) Compile and run Heartbleed checker tool
This method is a a bit more complicated.
Prerequisites:
Install
Documented here: FiloSottile/Heartbleed · GitHub
go get github.com/FiloSottile/Heartbleed
go install github.com/FiloSottile/Heartbleed
If that all worked properly, you should now have a Heartbleed.exe in your /go/bin folder.
Run
so far, so good....
You're basically asking: How do I enable the affected APR and configure SSL with OpenSSL?
Here is what you would have to do:
I enjoyed testing and hope you find it informative.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
9 | |
9 | |
8 | |
8 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |