Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
What Do I Do If I Cannot Access the eSight Page Using Internet Explorer After the Patch Is Installed
Question
What do I do if I cannot access the eSight page using Internet Explorer after a patch of eSight V300R010C00SPC630 or a later version or a patch of V300R010C00CP5030 or a later version is installed?
Answer
The cause is that the insecure CBC encryption algorithm is deleted from the patch version. You can perform the following operations to add the corresponding encryption algorithm:
- Log in to the current eSight server as the ossuser user.
In a HA scenario, you need to perform the operations only on the active server.
- Modify the configuration file /opt/eSight/AppBase/3rdparty/nginx/conf/certificate.conf and change the value of ssl_ciphers as follows:
ssl_certificate ../../../etc/certificate/application/outserver/outserver.crt; ssl_certificate_key ../../../etc/certificate/application/outserver/outserver.pem; ssl_certificate_key_password @6f0817ff0d58da93e2dfad85c4927d505767e51d04fae80a73479fd8f7eed263; ssl_client_certificate ../../../etc/certificate/application/ca/ca.crt; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ecdh_curve secp384r1; include ../../../etc/iemp.framework/nginx.winfo.conf; include ../../../etc/oms.core/nginx.rinfo.conf;
- Add the configuration item param to the /opt/eSight/AppBase/etc/oms.sso/ext/esightsso.sso.ext.xml file and set its value as follows:
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <sso-config> <param name="webserverips">10.186.124.201</param> <responseHeaders> <header name="X-Frame-Options" value="SAMEORIGIN"/> <header name="X-Content-Type-Options" value="nosniff"/> <header name="X-Download-Options" value="noopen"/> <header name="X-XSS-Protection" value="1; mode=block" /> <header name="Strict-Transport-Security" value="max-age=31536000; includeSubdomains" /> </responseHeaders> <param name="includeCipherSuites">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</param> </sso-config>
- Add the configuration item ssl.include.ciphers to the configuration file /opt/eSight/mttools/etc/iemp.fw.roa.inst/roa.inst_ext_mttools.xml and set its value as follows:
<?xml version="1.0" encoding="UTF-8"?> <webservers> <webserver name="default"> <responseHeaders> <header name="X-Content-Type-Options" value="nosniff"/> <header name="X-Download-Options" value="noopen"/> <header name="X-XSS-Protection" value="1; mode=block" /> <header name="Strict-Transport-Security" value="max-age=31536000; includeSubdomains" /> </responseHeaders> <connectors> <connector name="httpsport" type="https"> <property name="ssl.include.ciphers" value="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;TLS_RSA_WITH_AES_256_CBC_SHA256;TLS_RSA_WITH_AES_256_CBC_SHA;TLS_RSA_WITH_AES_128_CBC_SHA256;TLS_RSA_WITH_AES_128_CBC_SHA" /> </connector> <connector name="httpsIPV6sport" type="https" allowedModel="ipall"> <property name="ssl.include.ciphers" value="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;TLS_RSA_WITH_AES_256_CBC_SHA256;TLS_RSA_WITH_AES_256_CBC_SHA;TLS_RSA_WITH_AES_128_CBC_SHA256;TLS_RSA_WITH_AES_128_CBC_SHA" /> </connector> </connectors> </webserver> </webservers> - After the modification, restart eSight for the configuration file to take effect. Log in to eSight again.
