If MCollective is enabled in 2018.1, port 61613 might be vulnerable depending on which cipher suites are in use. If you are no longer using MCollective, the simplest way to fix this issue is to remove it. If you are using MCollective, fix the issue by setting ActiveMQ broker cipher suites in the console.
Version and installation information
PE version: 2018.1
Solution
To set ActiveMQ broker cipher suites:
-
In the console, navigate to Classification > PE Infrastructure > PE ActiveMQ Broker > Classes
-
Under the class
puppet_enterprise::profile::amq::broker
, change the parameterstomp_transport_options
to:{"transport.enabledCipherSuites":"<CIPHER SUITE>","transport.enabledProtocols":"TLSv1,TLSv1.1,TLSv1.2"}
For example, if TLSv1.2 is available, to use RSA authentication with ECDHE as the key exchange mechanism:
{"transport.enabledCipherSuites":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"transport.enabledProtocols":"TLSv1,TLSv1.1,TLSv1.2"}
For a list of cipher suites, see the OpenSSL 1.1.1 documentation.
-
On the master, apply the changes by running
puppet agent -t
Note: Puppet Enterprise 2018.1 is the last release to support MCollective. To prepare for the change, migrate your MCollective work to Puppet orchestrator to automate tasks and create consistent, repeatable administrative processes.
Comments
0 comments
Please sign in to leave a comment.