An attacker with access to the memcached port (port 11211
by default) on
the PCA, can read memcached operational data, read TLS session state for any active sessions, and
cause the denial of service by writing specially crafted data (or just clearing the
cache).
PCA uses memcached and libmemcached to manage a shared cache of shadowed TLS session state, so that it can decrypt a resumed TLS session.
The cache is used whenever TLS decryption is enabled, even if there is only one PCA.
PCA uses memcached with authentication disabled. The memcached data is not encrypted by default, but a customer can configure the system to encrypt the data (although with an AES key, that is easy to determine).
To protect memcached data from unauthorized access, perform the following steps:
-
Create a user name and password by running the following script:
cd /usr/local/ctccap/sbin ./sasl-username-password.sh
-
Verify the username has been added to the SASL database by running the following command:
cd /usr/local/ctccap/sbin ./sasldblistusers2 -f $installed_path/sasldb
-
Update the PCA configuration by running the following command:
Note: If you are running in the memcached pool, then the username and password must be same across the pool.
cd /usr/local/ctccap/sbin/etc/
-
For a new PCA installation:
Locate the Pool Section of xml and edit the following lines:
vim ctc-conf.xml <SaslAuth>true</SaslAuth> <MemcachedUser>username</MemcachedUser> <MemcachedPassword>userpassword</MemcachedPassword>
-
For an upgrade of your PCA installation:
Locate the Pool section of xml and add the following lines: (refer ctc-conf-defaults.xml):
vim ctc-conf.xml <SaslAuth>true</SaslAuth> <MemcachedUser>username</MemcachedUser> <MemcachedPassword>userpassword</MemcachedPassword>
-
For a new PCA installation: