IBM Support

LDAP user authentication using SSLv3 in ClearQuest

Technote (troubleshooting)


Problem(Abstract)

In order to address an SSLv3 (Secure Socket Layer) protocol vulnerability referred to as a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, the SSLv3 protocol version has been now disabled for IBM Rational ClearQuest LDAP (Lightweight Directory Access Protocol) authentication using SSL.

Symptom

To address this vulnerability, starting in 7.1.2.16, 8.0.0.13, and 8.0.1.6, SSLv3 protocol version is disabled by ClearQuest and LDAP authentication will fail if its attempted.

If you use SSLv3 exclusively through your LDAP provider, authentications / logins will now fail (as of version 7.1.2.16, 8.0.0.13, and 8.0.1.6) with the generic message:

Invalid Credentials: Either the login name or the password is incorrect.


Diagnosing the problem

ClearQuest user authentication is not vulnerable to the POODLE attack if:

  • User authentication with LDAP has not been configured for ClearQuest

    or
  • User authentication with LDAP is not configured to use SSL (unencrypted authentication, and thus insecure anyway) [not recommended]

    or
  • User authentication with LDAP is configured to use Transport Layer Security (TLS) which is available only in version 8.0.1 or higher.

    or
  • User authentication with LDAP utilizes an LDAP provider in which the organization's LDAP administrator has confirmed that SSLv3 support is disabled.

Resolving the problem

You are urged to consult your organization's LDAP provider administrator as well as the documentation from your LDAP provider vendor on how to configure/enable more secure protocols, and to explicitly disable SSLv3 support on your LDAP provider.

For IBM Tivoli Directory Server (LDAP provider) - review security bulletin 1687611: Security Bulletin: Vulnerability in SSLv3 affects Directory Server (CVE-2014-3566) for more details.

If you use ClearQuest 8.0.1, you may configure LDAP user authentication with TLS which is secure. Review technote 1646724: Configuring IBM Rational ClearQuest with LDAP user authentication for TLS 1.2 or TLS 1.1 to support NIST SP 800-131A guidelines for more details.

If it is necessary for your LDAP/SSL configuration to continue using SSLv3 even given this vulnerability, please contact Rational Customer Support for further instruction, and reference this technote.

Note: Other product features may be vulnerable to a POODLE attack where SSL is used, such as IBM HTTP Server (IHS) and IBM WebSphere Application Server (WAS).

Document information

More support for: Rational ClearQuest
User Administration - LDAP

Software version: 7.1, 7.1.1, 7.1.2, 7.1.2.15, 7.1.2.16, 8.0, 8.0.0.12, 8.0.0.13, 8.0.1, 8.0.1.5, 8.0.1.6

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 1689920

Modified date: 10 December 2014