Re: Corrupted keys in ACS SE v3.3.4

mmletzko · ‎12-01-2010

First - I know ACS v3.3.4 is no longer supported. We are getting ready to upgrade our first of 6 infastructures to v4.2, but with 40 of these around the world, it will take some time to get them done. A variety of reasons has kept us from upgrading up until this point.

For a while now we have been dealing with a strange issue that I'm hoping someone could shed some light on. I know we need to upgrade, but if somone knows about this problem and knows how to avoid it - it would really help us in the short term until we complete our upgrade.

Keys are getting corrupted when working in ACS. We're not completely sure what's causing it. We initially noticed it when using Firefox, but now we're noticing it with other browsers too.

The key will magically change to something like this:

5=1g=47a1a7m3;<2112`5<7a;6725`6<25?>72554n7g>0541a6914;3692e

or this:

480d;0164g7?22?251176?1f<d183`593`<164546n6c:0133=3=75<71353

Any ideas on exactly what is causing this? I remember someone mentioning this is related to the browser and version of Java, but I was hoping I could get some specifics.

Thanks!

Javier Henderson · ‎12-01-2010

We are aware of issues with Firefox (for example, CSCsx50157).

mmletzko · ‎12-01-2010

So, according to the Bug Report, this issue will NOT be resolved by upgrading to v4.2.0.124, which is the version we will start upgrading to in the next couple of weeks.

Unfortunately, Firefox was used at some point, and there's nothing we can do about that now. I'm definitely very interested in finding out a solution or workaround because this one has caused us some big headaches.

Thanks Javier.

-Matt

Javier Henderson · ‎12-01-2010

It is fixed on 4.2.1(15), as long as you are upgrading to 4.2.x, please consider going to 4.2.1 instead of 4.2.0

mmletzko · ‎12-01-2010

It is? The bug report should be updated to include this info - it says "release pending". We were already planning on upgrading to v4.2.1.15.2.

Javier Henderson · ‎12-01-2010

Well it shows 4.2.1(15) as the verified release, I am not sure why you are not able to see that, but I will look into this.

The latest cumulative patch for ACS 4.2.1(15) is #3, incidentally.

mmletzko · ‎12-01-2010

OK, thanks again. I guess we'll go to patch 3 then.

mmletzko · ‎12-02-2010

Javier - one more question for you.

During your testing, did you notice if this issue occurs when the key field is left blank?

Also, are there any ramifications to leaving this field blank with regard to security, etc....?

Thanks!

Javier Henderson · ‎12-02-2010

Regarding leaving the shared key blank, are you referring to the group key, or individual AAA client keys?

You can leave the group key blank, but ACS will force you to enter a key for AAA clients.

As for security risks, I can't think of any related to leaving the NDG blank, since you are forced to have an AAA client key.

Finally, related to your first question, I don't recall having the group key blank being the trigger for the problem.

mmletzko · ‎12-02-2010

I'm referring to the individual client keys. ACS doesn't require one in v3.3.4 or 4.2.1.15. I know it works in v3.x as we have some devices without a key. I just tried it in v4.2.1.15 and it accepts a blank.

The reason I asked if you tested the corruption with clients that didn't have keys is because we have not seen this corruption with clients that have blank keys.

Thanks!