LDAP user authentication using SSLv3 in ClearQuest
In order to address an SSLv3 (Secure Socket Layer) protocol vulnerability referred to as a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, the SSLv3 protocol version has been now disabled for IBM Rational ClearQuest LDAP (Lightweight Directory Access Protocol) authentication using SSL.
To address this vulnerability, starting in 22.214.171.124, 126.96.36.199, and 188.8.131.52, SSLv3 protocol version is disabled by ClearQuest and LDAP authentication will fail if its attempted.
If you use SSLv3 exclusively through your LDAP provider, authentications / logins will now fail (as of version 184.108.40.206, 220.127.116.11, and 18.104.22.168) with the generic message:
Invalid Credentials: Either the login name or the password is incorrect.
Diagnosing the problem
ClearQuest user authentication is not vulnerable to the POODLE attack if:
- User authentication with LDAP has not been configured for ClearQuest
- User authentication with LDAP is not configured to use SSL (unencrypted authentication, and thus insecure anyway) [not recommended]
- User authentication with LDAP is configured to use Transport Layer Security (TLS) which is available only in version 8.0.1 or higher.
- User authentication with LDAP utilizes an LDAP provider in which the organization's LDAP administrator has confirmed that SSLv3 support is disabled.
Resolving the problem
You are urged to consult your organization's LDAP provider administrator as well as the documentation from your LDAP provider vendor on how to configure/enable more secure protocols, and to explicitly disable SSLv3 support on your LDAP provider.
For IBM Tivoli Directory Server (LDAP provider) - review security bulletin 1687611: Security Bulletin: Vulnerability in SSLv3 affects Directory Server (CVE-2014-3566) for more details.
If you use ClearQuest 8.0.1, you may configure LDAP user authentication with TLS which is secure. Review technote 1646724: Configuring IBM Rational ClearQuest with LDAP user authentication for TLS 1.2 or TLS 1.1 to support NIST SP 800-131A guidelines for more details.
If it is necessary for your LDAP/SSL configuration to continue using SSLv3 even given this vulnerability, please contact Rational Customer Support for further instruction, and reference this technote.
Note: Other product features may be vulnerable to a POODLE attack where SSL is used, such as IBM HTTP Server (IHS) and IBM WebSphere Application Server (WAS).
More support for:
User Administration - LDAP
Software version: 7.1, 7.1.1, 7.1.2, 22.214.171.124, 126.96.36.199, 8.0, 188.8.131.52, 184.108.40.206, 8.0.1, 220.127.116.11, 18.104.22.168
Operating system(s): AIX, Linux, Solaris, Windows
Reference #: 1689920
Modified date: 10 December 2014