Tag: Transport Layer Security

Receiver for Windows 4.11 | Error “Unable to connect to the server. error SSL Error 4”

Citrix Leave a comment

Microsoft introduced new set of ciphers, in their update KB2919355, which is applicable to Windows 8.1 and Windows Server 2012 R2 operating systems.

The following cipher suites are enabled and in this priority order by default by the Microsoft Schannel Provider:

Cipher suite string Allowed by SCH_USE_STRONG_CRYPTO TLS/SSL Protocol Versions
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 Yes TLS 1.0, 1.1, 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 Yes TLS 1.0, 1.1, 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 Yes TLS 1.0, 1.1, 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 Yes TLS 1.0, 1.1, 1.2


Receiver for Windows 4.7, Receiver for Mac 12.5, Receiver for Android 3.12.2/3.12.3 and Receiver for Linux 13.6 introduce these ECDHE ciphers which trigger this defect.

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Install KB2919355 on all Windows 8.1 client machines.

Related:

  • No Related Posts

FAS Authentication fails with an error “The username or password is incorrect”

Citrix Leave a comment
Validate the user certificate by copying the certificate from the CA server to the VDA where the application are published. If the CRL check fails because if you are not able to access the CRL path from the VDA, all the certificate in the certificate chain should be validated.

To verify the the certificate validation, run the below command on the VDA from an elevated command prompt.

Certutil -urlfetch -verify “name of the user certificate” > Certname.txt

The output will look like something below.

—————- Certificate AIA —————-

Wrong Issuer “Certificate (0)” Time: 0

[0.0] ldap:///CN=ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?cACertificate?base?objectClass=certificationAuthority

Verified “Certificate (1)” Time: 0

[0.1] ldap:///CN=ROOT-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?cACertificate?base?objectClass=certificationAuthority

Failed “AIA” Time: 0

Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

http://pki.lab.com/CertEnroll/Root.lab.com_lab-ROOT-CA.crt

—————- Certificate CDP —————-

Expired “Base CRL (01)” Time: 0

[0.0] ldap:///CN=ROOT-CA,CN=Root,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=lab,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

Failed “CDP” Time: 0

Error retrieving URL: Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

http://pki.lab.com/CertEnroll/lab-ROOT-CA.crl

  • As you see in the above sample output, all of the CDP paths of the certificate have an issue and for AIA only the LDAP path is verified.
  • Even if one of the paths ( File, LDAP or http) for CDP and AIA is verified you can ignore the rest of the failures.
  • If you are seeing errors and failures with the all the paths, we need to fix the issue with the CDP and AIA paths of the CA.
  • Once all the above issue with the certificate is fixed, make sure the from the VDA server you are able to access the LDAP and Http path for CDP and AIA.
  • If the CDP and AIA paths are not accessible from the VDA server, the FAS authentication will fail.

Related:

  • No Related Posts

New SSL Features Included in NetScaler 12.0.56.20 Release

Citrix Leave a comment

What new SSL features are included in NetScaler 12.0 56.20?

ECC for VPX backend

NetScaler VPX now includes support for Elliptic Curve Cryptography on backend connections. This allows the NetScaler to support ECC connections to backend servers:

ECC on Services

    ECDHE Cipher Enhancement on VPX Backend

    ECDHE ciphers are now supported on VPX backend.

    • ECDHE suites can give improved performance and better security.
    • RFC 4492 allows ECDHE ciphers to be used with TLS1.0, TLS1.1, and TLS1.2.
    • The new set of ciphers supported on VPX backend are:

    ECDHE on VPX backend

    4K server cert and DHE for VPX backend

    NetScaler VPX now supports backend cert key sizes up to 4K, including DHE:

    4k support

    ChaCha20-Poly1305 Support on VPX and CPX

    ChaCha20-Poly1305 is a new Authenticated Encryption with Associated Data (AEAD) cipher in TLS (RFC 7905).

    • ChaCha20 – Stream Cipher – 96 bit Nonce and 256 bit Key
    • Poly1305 – Authenticator – 256 bit ‘One-time’ Key
    • Both primitives designed for higher performance when done in Software (CPU)

    Benefits/Use Cases

    • Better Performance/Faster Encryption
      • On devices that don’t have specialized AES acceleration (AES-NI on x86)
      • e.g. Non x86 platforms e.g. Android devices, Wearable etc. with ARM processots. Improves User experience, battery life etc.
    • Better Security
      • Reduces side-channel attacks (by design) such as Lucky13 (CBC-Mode) or attacks on other stream ciphers such as RC4 stram cipher
    • Wide deployment on various Clients
      • Chrome browsers on Android devices moved to TLS1.2 + ChaCha=Poly in 2014.

    DTLS BE for MPX and VPX

    DTLS for backend (i.e. DTLS client on NS) is now supported. This requirement is currently for “Double hop for framehawk and UDP audio” feature of NetScaler Gateway.

    • Use Case: VDA solution to provide secure access to Desktop in StoreFront via end-to-end DTLS.
    • It is similar to TLS except works on UDP instead of TCP
    • 3 supported ciphers:
      • TLS_RSA_WITH_AES_256_CBC_SHA
      • TLS_RSA_WITH_AES_128_CBC_SHA
      • TLS_RSA_WITH_3DES_EDE_CBC_SHA

    Hybrid ECC on 14xxx MPX-FIPS platform – Hybrid-ECC feature is now available on the N3-FIPS platform (ECDHE-RSA2K)

    • Hybrid ECDH Approach (CPU + Card processing)
    • Offload ECC operations to software/CPU (to configured CPU quota)
    • Additional ECC operations done on card
    • RSA Operations done on card
    • Hybrid ECC Feature – Disabled by default
    • Enable by configuring “Software Crypto acceleration CPU threshold” SSL Parameter
    • E.g. “set ssl parameter -softwareCryptoThreshold 90”

    New DoD CA chain support

    The appliance now supports the new Department of Defense CA chain, used with CAC smart card authentication.

    SSL Certificate Classification

    When installing a certificate-key pair, the NetScaler is able to determine which certificate type/s these certificates should be classified as. Any certificate (whether it be Server, Client, Root, or Intermediate) that is installed with a private key can be classified and bound to a virtual server or service as both a server and client certificate. This means that the NetScaler is now able to classify certificates as more than one type.

    Unknown Certificates bucket in the GUI – a new GUI enhancement allows users to see certificate-key pairs that could not be classified as Server, Client, Root, or Intermediate. These are classified as Unidentified in the CLI and can be seen in the Unknown Certificates bucket through the GUI:

    Unknown Certificates

Related:

  • No Related Posts

SSL Handshake Fails When Server Name Indication (SNI) is Enabled on NetScaler

Citrix Leave a comment

SSL handshake fails when Server Name Indication feature is enabled on NetScaler.

User-added image

Server Name Indication aka SNI is an extension of the TLS protocol. For SNI to work, the server name in the client hello must match the host name configured on the back-end service that is bound to an SSL virtual server.

For example, if the host name of the backend server is www.mail.example.com, the SNI-enabled back-end service must be configured with the server name as https://www.mail.example.com, and this host name must match the server name in the client hello.

Related:

  • No Related Posts

7023362: Failed to create certificate request – countryName

Novell Leave a comment

This document (7023362) is provided subject to the disclaimer at the end of this document.

Environment

Privileged Account Manager

Situation

Unable to create a Certificate Signing Request (CSR) from the Hosts Console
The following browser dialog error when requesting a certificate for the framework manager console:
Failed to create certificate request
The following is found in the unifid.log:
Error, Error adding attribute countryName to request

Info, SSL Error: error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long

Info, admin certRequest client:localhost user:admin@<hostname>(137.65.60.249) rc:0 status:500(Failed to create certificate request) (66ms)[42078208:42078208]<90112><327680>

Resolution

The Country field of a Certificate Signing Request should be a 2-character ISO format country code.
More details can be found from documentation provided by the Certificate Authority (CA).
The following is a list of SSL Certificate Country Codes provided by Digicert as an example:

Cause

Invalid details provided in conflict with the certificate authority documentation.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

7006420: How to Import an External CA Signed Wildcard certificate

Novell Leave a comment
When you receive your certificate from the Vendor, you will haveseveral files. One will be the server private key. Ifyou open this file with a text editor, you will see somethingsimilar to the following:

—–BEGIN RSA PRIVATE KEY—–

o/1KusAd+1KqVZmhxD1ECkWSAwPRZxd6Xx4fuzoqcwjbBTOZcfXQi5tZBK+OeK1n

.

.

vVl+Gjj5DQv5GrKQ4vZ3OZvYKnHxP6My9tV8t8xM5pMULc90C0HDzA==

—–END RSA PRIVATE KEY—–

The file with these begin and end tags is the server private keyfile.

Other files provided will be the server certificate file, and anyintermediate and root Certificate Authority files. These willlook like this:

—–BEGIN CERTIFICATE—–

MIIFcjCCBFqgAwIBAgIkAhwFYuVdlS9r5T0XyUHdXvbwz2cWs2HjTK6bNf0yAgIT

.

.

—–END CERTIFICATE—–

To import an externally signed certificate into eDirectory 8.8 thatwas not originally generated from a CSR created within eDirectory,you must have the certificate in .PFX format. The typicalfiles given you by the Certificate Vendor can be converted to PFXformat using the OpenSSL tool. This tool is typicallyavailable by default on Linux based system, or Windows versions areavailable for Download on the internet. See below if you needdetails on OpenSSL availability.

OpenSSL is a command line only tool. If you are running inWindows 7, it must be run as Administrator. Command lineformat for the conversion is:

> openssl pkcs12 -export -inkey <yourServerPrivateKeyFile>-in <yourServerCertificateFile> -certfile<intermediateCAFilename> -certfile <rootCAFilename>-out <newCertifcateFile>.pfx

example:

> openssl pkcs12 -export -inkey server.key -in mycertificate.crt-certfile intermediateCA.crt -certfile rootCA.crt -outmycert.pfx

When you run this command, it will prompt you for a password toencrypt the server private key (twice for confirmation). Enter any password you like, but be sure to remember it, as youwill need it during the eDirectory import process. Ifyou have more than one intermediate CA file, just add as many-certfile parameters as needed. If you have the whole chainof CA certificates in one file, you only need one instance of the-certfile parameter.

To import the .pfx file into eDirectory, launch iManager2.7. You need a relatively recent version (2008 orlater) of the Certificate Server plugin loaded in iManager to havethe proper task to import the certificate.

1. Open iManager and connect to the server you wish to host thiscertificate on, e.g. Srv1.

2. Under the Novell Certificate Access role, click the ServerCertificates task. This will open a page showing all yourcurrent certificates.

3. In the blue bar at the top of the page the name of the serverbeing accessed is shown. Verify this is where you want thecertificate to be. If this isn’t the right server, click themagnifying glass and browse to the server you want the certificateto be hosted on, then click the ‘New’ command.

4. In the dialog box that opens, specify a name for the certificateobject. This is not the actual certificate subject name, butthe name of the object in eDirectory that will hold the certificatedata. Click the ‘Import’ radio button, then click Next.

5. A new dialog box opens to specify the file toimport. Click the browse button and browse to where you savedthe .pfx file from above. Enter the certificate password(used during the creation of the pfx file).

6. A summary screen of the file to be imported is shown. Justclick next here.

7. Another summary screen, click finish. If all is validated,your certificate will be imported and stored on the object name yougave.

8. Click Close, and the new certificate will show up in the list ofcertificates hosted on this server. Click the check box nextto your newly created certificate, then click verify to ensure itis working properly.

Your wildcard certificate is now imported into eDirectory, and canbe used like any other certificate in eDirectory. E.g., youcan set your NetWare Apache module to use this new certificate bychanging the certificate name listed insys:apache2confhttpd.conf on the secureListen directive.

Related:

  • No Related Posts

7016795: History of Issues Resolved for iManager 3.x

Novell Leave a comment
____________________________________________________________________________________________________________________

Issues resolved in iManager 3.1.1.1

September 2018

Tomcat 8.5.32

Java 1.8.0_181

FRAMEWORK

– Tomcat updated to 8.5.32 (Bug 1103143) (CVE-2018-8037 CVE-2018-1336 CVE-2018-8034)

OTHER

– Update JRE version to 1.8.0_181 (Bug 1107600) (CVEs in Oracle July 2018 Update Advisory)

____________________________________________________________________________________________________________________

Issues resolved in iManager 3.1.1

June 2018

Tomcat 8.5.30

JRE 1.8.0_172

FRAMEWORK

– Security vulnerability: multiple XSS weaknesses resolved (Bug 1079563/1080897) (CVE-2018-12462)

– Correct querying of latest plugins against those available (Bug 1094292)

OTHER

– Enhancement: RHEL 7.5 now supported (Bug 1093801)

– Login failure events look the same as those that complete (Bug 1080091)

– Installation returns fatal error due to version mismatch on libstdc++ (Bug 1088289)

– Windows installation not installing NICI if VC++ is already on server (Bug 1094012)

– A reinstall returns the SSL port selected is not valid or in use (Bug 1092676)

– Maxiumum version used to prevent duplicate plugins from being shown (Bug 1092674)

____________________________________________________________________________________________________________________

Issues resolved in iManager 3.1

March 2018

Tomcat 8.5.27

JRE 1.8.0_162

FRAMEWORK

– Potential XSS vulnerability closed (Bug 1063334) (CVE-2018-1347)

– 625 error when browsing a NSS directory on a cluster volume in iManager (Bug 1010818)

PLUGINS

– Secure transfer for plugin downloads (Bug 149319/1056490/1056487)

– Error -601 when setting the simple password for a user object having il8n characters in its name (Bug 1039287)

– Partition mgt: unable to add R/W replica when using a different locale (Bug 1003550)

OTHER

– Upgrades: NAudit and XDAS configuration file is getting reset (Bug 1010379)

– HSTS filter has been added in iManager web.xml file to enable Strict-Transport-Security (Bug 1045513) (CVE-2018-1344)

– Localization Fixes (930696/957746/930662/956947/960824/957256/957747/960797/960821/960822/960822/960823/960825/1079576)

____________________________________________________________________________________________________________________

Issues resolved in iManager 3.0.4

September 2017

Tomcat 8.0.45

JVM 1.8.0_144

NICI 3.0.3

FRAMEWORK

– Enhancement: RHEL 7.4 platform added (Bug 1058665)

– Enhancement: Windows 2016 support added (Bug 1025843)

– Timezone attribute is not interpreted correctly (Bug 1028890)

– Warning message overlapping with the driver name in the Driver Cache Inspector page (Bug 880032)

– “Cannot add empty strings” message when canceling changes (Bug 1034833)

– “Illegal character range near index 110” seen in driver’s status log (Bug 1038076)

– After selecting more than 100-300 objects no task is presented when clicking the button (Bug 1049152)

– Pop is thrown ‘value entered must be between 1 and 365’ after selecting another tab modifying user (Bug 1050586)

– Server redirection not working correctly when downloading plugins (Bug 1050868)

– Cannot uninstall plugins if both iManager Workstation 3.x and 2.77.x are installed on the same workstation (Bug 1053408)

– Object selector not honoring results per page setting (Bug 1042139)

– XSS attack hole closed (Bug 1052480) (CVE-2017-9276: internally found)

OTHER

– Audit: iManager is failing to Connect to Sentinel when Audit Connector is in STRICT mode (Bug 1022794)

– Upgrades left behind old iManager and plugin-base npms (Bug 870414)

– Some plugins could not be uninstalled (Bug 1037836)

– Tomcat updated (Bug 1048460)

– Java update (Bug 1049613)

– NICI updated (Bug 1052693)

____________________________________________________________________________________________________________________

Issues resolved in iManager 3.0.3.2 (303 Patch 2)

July 2017

Tomcat 8.0.44

JVM 1.8.0_131

FRAMEWORK

– Reflected XSS vulnerabilities (Bug 1038679) (CVE-2017-7425)

– Views: unable to add an IP address restriction to a user object (Bug 1030616)

TOMCAT

– Update Tomcat to 8.0.44 (Bug 1046831) (CVE-2017-5664,CVE-2017-5648,CVE-2017-5647,CVE-2016-8735,CVE-2016-6816)

JVM

– Updated to 1.8.0_131 (Bug 1045911)

____________________________________________________________________________________________________________________

Issues resolved in iManager 3.0.3.1 (303 Patch 1)

May 2017

– Potential webshell upload vulnerability (Bug 1027619) (CVE-2017-7432)

– Framework: persistent XSS vulnerability (Bug 1030691) (CVE-2017-7430)

– Object Mgt: vulnerable to persistent XSRF (Bug 1030692) (CVE-2017-7431)

– Tomcat: issue identified in the renegotiation of connection parameters (Bug 1029431) (CVE-2017-7428)

_____________________________________________________________________________________________________________________

Issues resolved in iManager 3.0.3

April 2017

NICI: 3.0.2

Tomcat: 8.0.37-1

Java: 1.8.0_112-1

FRAMEWORK

– iManager server cannot connect to Sentinel using the embedded private key. (Bug 1021637) (CVE-2017-5189)

– View objects, search, object, click on object and the Modify Object operation is not seen.. (Bug 1026609)

– Red Hat 7.3 now supported. (Bug 1027056)

Tomcat

– Time delay different between an invalid user and password. (Bug 1017876)

– iManager install log now masks jre default keystore password. (Bug 1023991)

– Nessscan reports in SSL 64-bit Block Size Cipher Suites Supported (SWEET32) in iManager 3.0.2. (Bug 1010732)

OTHER

– iManager updates overwritting the config.xml file. (Bug 1010839)

– Plugin installation: cannot uninstall the password management plugins. (Bug 1020092)

– Cannot install IDM 4.6 plugins on an upgraded iManager setup. (Bug 1022565)

– Configure: upgrade is not preserving configuration leading to Jcache not starting. (Bug 1024529)

_____________________________________________________________________________________________________________________

Issues resolved in iManager 3.0.2.1

February 2017

OTHER

– JCE unlimited cipher option jar no longer installed by default for ECDSA384 certificates. (Bug 1023402/1023024)

For more informaton: https://www.netiq.com/documentation/imanager-3/imanager_admin/data/b8qrh89.html#btubnyq

NAUDITXDAS

– iManager failing to connect Sentinel 7.4.2 and above version (Bug 1019789) (CVE-2017-5186)

– iManager is failing to Connect to Sentinel when Audit Connector is in Strict mode (Bug 1024955)

Auditing collectors, platform agents, instrumentation, etc. have been modified to use eDirectory certificates in order to connect to Sentinel servers versioned 7.4.2 and above. The previously used embedded certificate can no longer be used with Java 1.8. This certificate issue has required the modification of the following components. The updated files can be found on the respective product’s patch page.

1019041/987162 – eDir

1021637/1019789 – iMgr

999186/1019573 – PA

10195431011208 – IDM

1021391 – RBPM

1013758 – Naudit connector

_____________________________________________________________________________________________________________________

Issues resolved in iManager 3.0.2

November 2016

Tomcat: 8.0.37

Java: 1.8.0_102

PA: PA 2011.1r4 2.0.2-79

FRAMEWORK

– Added support for SLES12 SP2 (Bug 994329)

– Added support for RH 6.8 (Bug 991880)

– Consume Tomcat: 8.0.37 (Bug 997226/1004423)

– Warning message ‘Profile Missing’ pseen when launching iManager Windows Workstation (Bug 939510)

– iManager no longer installs 32-bit NICI packages (Bug 944512)

– Multiple NICI install issues resolved (Bug 966589/994068/994037)

– Getting “Error-634” error message when clicking on “Connections” tab under LDAP options (Bug 966672)

– Consume latest Java: 1.8.0_102 (Bug 995946/1006942)

– iManager displays secondary loopback address on completion (Bug 999237)

– Applying patch 4 to iManager 277 removes groups from novlwww user (Bug 1002179)

– Consume latest PA: 2011.1r4 2.0.2-79 (Bug 1005510)

– iManager uninstall does not cleanly uninstall its components (Bug 984889/986022/1002720)

– Need to mask IDP server backtrace when exceptions occur (Bug 992108)

– Some functions prone to Reflected Cross-Site Scripting attacks (Bug 992110)

– Cross-Site-Request-Forgery-Prevention not Working properly under heavy load (Bug 992111)

– Potential command execution vulnerability resolved (Bug 946043)

Tomcat

– Consume latest Tomcat: 8.0.37 (Bug 1002722)

– Tomcat 8.x vulnerable to CVE-2015-5351

– Nessus scan reports in SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) (Bug 963892) (CVE-2015-4000)

– Process runs from system account (Bug 992106)

OTHER

– Plugin Installation: .htaccess exists and is not restricted on the NAM admin console server (Bug 979235)

_____________________________________________________________________________________________________________________

Issues resolved in iManager 3.0.1

June 2016

Tomcat 8.0.22

NICI: 3.0.1

JAVA: 1.8.0_77

FRAMEWORK

– Improvements made to only display available plugins that are compatible. (Bug 928695/973975)

– Enhancement: IDM support has been added. (Bug 970007)

– Safeguard iManager framework binaries during plugin uninstall process. (Bug 977353)

– iManager patch installer is not creating patch install logs. (Bug 906564)

TOMCAT

– Nessus scan reporting iManager is potentially vulnerable to Clickjacking. (OTG-CLIENT-009) (Bug 963890)

– iManager not listening after rebooting RHEL 7.2 server. (Bug 975678)

JAVA

– Updated to 1.8.0_77. (Bug 973128)

PLUGINS

– Cannot remove dash from phone number. (Bug 972633)

OTHER

– Installation is now prevented if a version of eDirectory lower than 9.0 is present. (Bug 976133)

– Admin Guide has been revised. (Bug 985323)

_____________________________________________________________________________________________________________________

Issues resolved in iManager 3.0 FCS

January 2016

Tomcat 8.0.22

NICI: 3.0

JAVA: 1.8.0_66

OpenLDAP: 2.1.25

FRAMEWORK

– Enhancement: Tomcat 8 support. (Bug 932438)

– Enhancement: Multi-tree support. (Bug 921490)

– Enhancement: TLS 1.2 support. (Bug 922920)

– Enhancement: Suite B support. (Bug 920352)

– Enhancement: UAP support added. (Bug 921046)

– Enhancement: iManager now supports EC certificates and enforces cipher options 128 and 192. (Bug 919946)

– Enhancement: iManager 3.0 now uses NICI 3.0. (Bug 958575)

– Ebaclientinit utility now bundled with iManager so the uap.p12 certificate can be downloaded. (Bug 920328/927784)

– Platforms tested: SLES12 SP1, SLES 11 SP4, SLED 12, OpenSUSE 13.2, Redhat 7.1 and 7.2. (Bug 914251/927929/949916/958468)

– Group plugin throws an error if there are unspecified addresses defined on the LDAP server object. (Bug 923881)

– Windows based iManager using IE 11 browser is not populating tree view objects. (Bug 881861)

– Objects not displaying in the right pane in view objects link. (Bug 902177)

– The platform.xml file is no longer used. (Bug 926495)

– Plugins updated to allow for nesting enhanced nested groups. (Bug 962772)

– Plugins that are not compatible with iManager 3.0 should not display as available. (Bug 928695)

TOMCAT

– Enhancement: standalone iManager now works with 64bit Java 1.8. (Bug 766367/953133)

INSTALL

– Suite B options added to silent install. (Bug 920829/932012)

______________________________________________________________________________________________________________________

Related:

How Do I Configure end-to-end SSL on NetScaler?

Citrix Leave a comment

NetScaler CLI

Complete the following steps to configure end-to-end SSL on NetScaler using CLI:

  1. Enable SSL Offloading feature:

    enable ns feature ssl

  2. Add SSL based services:

    Note: The service that is configured must use SSL protocol to ensure that the backend connection is secure. If configured as HTTP service, then it will not support NetScaler to backend server security and hence it will not be an end to end SSL configuration.

    > add service servicessl1 10.102 .216.29 SSL 443

    Done

    > add service servicessl2 10.102 .216.30 SSL 443

    Done

  3. Add an SSL virtual server.

    add lb vserver vserverssl SSL 10.102.216.180 443

    Done

  4. Add a certificate-key pair:

    > add SSI certKey sslckey -cert ns -server. cert -key ns-server.key -password ssl -expiryMonitor ENABLED -notificationperiod 30

    Done

  5. Bind the SSL key pair to the SSL vserver.

    bind ssl vs vserverssl -certkeyName sslckey

    Done

  6. Bind the SSL services to the SSL virtual server.

    > bind 1b vserver vserverssl servicessl1

    Done

    > bind 1b vserver vserverssl servicessl2

    Done

NetScaler GUI

Complete the following steps to configure end-to-end SSL on NetScaler using GUI:

  1. Enable SSL Offloading feature.

    Go to System > Settings > Configure Basic Features > check SSL Offloading.

    Note: Ensure that load balancing is checked as well.

    User-added image

  2. Add SSL based services.

    Note: The service that is configured must use SSL protocol to ensure that the backend connection is secure. If configured as HTTP service, then it will not support NetScaler to backend server security and hence it will not be an end to end SSL configuration.

    Go to Traffic Management > Load Balancing > Services > Add.

    User-added image

  3. Add an SSL virtual server.

    Go to Traffic Management > Load Balancing > Virtual Servers > Add.

    User-added image

  4. Add a certificate-key pair.

    On NetScaler GUI: Go to Traffic Management > SSL > Certificates > Install.

    User-added image

  5. Bind the SSL key pair to the SSL vserver.

    Go to Traffic Management > Load Balancing > Virtual Servers > select the virtual server you wish to bind the certificate to > Edit > Certificates > Server Certificates > select the certificate you wish to bind to the virtual server > Bind.

    User-added image

    User-added image

    User-added image

    User-added image

  6. Bind the SSL services to the SSL virtual server.

    Go to Traffic Management > Load Balancing > Virtual Servers > select the virtual server you wish to bind the services to > Edit > Service Binding > select the services to be bound to virtual server > Bind.

    User-added image

For additional configuration details refer to Citrix Documentation – Configuring SSL Offloading.

Additional/Optional Configuration Steps

There are two additional key features on backend SSL which you can configure:

  • Performing server certificate authentication on NetScaler by enabling it on NetScaler.
  • Sending client certificate to the backend sever for authentication.

Server Certificate Authentication on NetScaler

The server certificate authentication can be enabled on a NetScaler SSL service when the NetScaler wants to verify that the certificate sent by the backend server is for the same hostname as requested by the client.

Go to Traffic Management > Load Balancing > Services > select the SSL service on which you wish to enable Server Certificate Authentication > Edit > SSL Parameters > check Enable Server Authentication.

User-added image

Sending Client Certificate to the Backend Server

Usually this option need not be enabled if NetScaler and Server reside in the same secure zone. If not the case, then this option can be enabled for additional security. The bound Client Certificate would be sent to the backend sever when the server demands a certificate from the client (in this case NetScaler) to authenticate its identity.

Go to Traffic Management > Load Balancing > Services > select the SSL service on which you wish to enable Server Certificate Authentication > Edit > Certificates > Client Certificates.

User-added image

User-added image

Related:

  • No Related Posts

NetScaler TLS 1.1/1.2 Causes Interruption in Downloading/Uploading Files Due to Window Size Leak

Citrix Leave a comment

The issue is caused because of the TLS 1.1 and TLS 1.2 ( issue ID 0591600) in the NetScaler firmware which causes a leak in the window size. This issue is fixed in the 10.5.60.x+, 11.0.64.x+ and 11.1 builds.

Workaround

The following are the workarounds for this issue:

  • Downgrade to NetScaler 10.5.56.x
  • Disable TLS 1.1 and TLS 1.2 on NetScaler.

In case the issue occurs with StoreFront/XenMobile as the back end where you do not have an option to disable the TLS 1.1 and 1.2 then you can create a service on NetScaler for StoreFront/XenMobile IP and disable TLS 1.1 and TLS 1.2 on that. When you create this service on NetScaler even though it is not bound to any load balancer the NetScaler uses the property of this service which is helpful in these scenario.

Additional Scenarios

Scenario 1:

In some cases even after disabling TLS1.1 or TLS1.2 on NetScaler running 10.5-59.x still the user experiences issues in sending email with attachments if there there is an Active Sync set up for mobile devices. Users will complain of issue where they are not able to send emails from mobile devices. If you capture nstrace you can observer the same behavior where NetScaler will advertise the 0 window size and will never recovers from it.

The fix for this is to see if there is a traffic policy with SSO enabled and used in the config. The following is an example:

add tm sessionAction Sess_Prof_sso_exchange -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -ssoDomain test.com -httpOnlyCookie NO -persistentCookie ON -persistentCookieValidity 30 -homePage “https://owa.test.com”

User-added image

Disable the SSO in the preceding configuration and try again with TLS1.1/1.2 disabled on 10.5-59.x.

This issue with SSO enabled is tracked under the issue ID 0592982.

Scenario 2:

Issue: GSLB MEP status flaps causing problem in the Active Active setup.

Analysis: We notice that every 1 hour 10 minute there is a flap in the GSLB site

 45 126000 1 1 0 sitemetric_mep_state gslbsite_10.213.254.124:(GSLBI-SITE-MER2) Tue Oct 13 20:02:10 2015 47 112000 1 1 0 sitemetric_mep_state gslbsite_10.213.254.124:(GSLBI-SITE-MER2) Tue Oct 13 21:12:44 2015 48 1091999 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.124:(GSLBI-SITE-MER2) Tue Oct 13 22:21:13 2015 50 1721999 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.124:(GSLBI-SITE-MER2) Tue Oct 13 23:31:48 2015 52 2351999 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.124:(GSLBI-SITE-MER2) Wed Oct 14 00:42:23 2015 54 2995999 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.124:(GSLBI-SITE-MER2) Wed Oct 14 01:53:12 2015 56 6999 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.124:(GSLBI-SITE-MER2) Wed Oct 14 03:03:33 2015 58 650999 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.124:(GSLBI-SITE-MER2) Wed Oct 14 04:14:22 2015 60 1266999 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.124:(GSLBI-SITE-MER2) Wed Oct 14 05:24:43 2015 62 1896999 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.124:(GSLBI-SITE-MER2) Wed Oct 14 06:35:18 2015

Analysing the other site as well there is exact time difference of 1 hour 10 minute in the flap site

 47 14000 1 1 0 sitemetric_mep_state gslbsite_10.213.254.123:(GSLBI-SITE-MER1) Tue Oct 13 20:02:10 2015 48 1007998 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.123:(GSLBI-SITE-MER1) Tue Oct 13 21:11:35 2015 50 1637998 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.123:(GSLBI-SITE-MER1) Tue Oct 13 22:22:10 2015 52 2267998 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.123:(GSLBI-SITE-MER1) Tue Oct 13 23:32:45 2015 54 2960998 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.123:(GSLBI-SITE-MER1) Wed Oct 14 00:44:23 2015 56 3583998 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.123:(GSLBI-SITE-MER1) Wed Oct 14 01:54:51 2015 58 552998 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.123:(GSLBI-SITE-MER1) Wed Oct 14 03:04:29 2015 60 1238998 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.123:(GSLBI-SITE-MER1) Wed Oct 14 04:16:00 2015 62 1868998 0 -1 0 sitemetric_mep_state gslbsite_10.213.254.123:(GSLBI-SITE-MER1) Wed Oct 14 05:26:35 2015

Further analyzing the NetScaler Trace files, We see window size 0 between snip to site ip

User-added image

Further we do see the port for MEP is used is secure i.e 3009 and the SSL handshake version used by SNIP is 0.x0303

User-added image

All these parameters proves that this is duplicate of known issue ID 0591600:- TCP window depletion with TLSv1.2 protocol use on the backend side.

To workaround this issue, go to System > Network > RPC Node > edit the site IP address on the NetScaler and uncheck the Secure box so that SSL is not used.

Related: