×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Important

   

Starting version 8.9.03, BMC Network Automation is renamed to TrueSight Network Automation. This space contains information about BMC Network Automation 8.9.02 and previous versions. For TrueSight Network Automation 8.9.03 and later releases, see the TrueSight Network Automation documentation.
BMC Network Automation 8.9 ... Installing Configuring after installation

Configuring enhanced security

BMC Network Automation is Federal Information Processing Standard (FIPS) Publication 140-2 compliant. BMC Network Automation uses the RSA JSafeJCE security provider for FIPS-compliance. This topic includes the following sections:

FIPS 140-2 support

The following topics describe the details of the FIPS 140-2 implementation:

Note

You can find links to the FIPS 140-2 documents on the FIPS Publications page on the National Institute of Standards and Technology (NIST) website:

http://csrc.nist.gov/publications/PubsFIPS.html.

Cipher suites used in the Tomcat server

BMC Network Automation works in FIPS mode, and supports the TLSv1.2 handshaking protocol and the SHA-256 cipher suites. You can configure these cipher suites in the catalina.properties file. Some of the Internet browsers approved for use with BMC Network Automation, such as Mozilla FireFox and some versions of Microsoft Internet Explorer, do not yet support TLSv1.2. To ensure that these browsers can still access the BMC Network Automation application server, the following SHA cipher suites are still provided at the lower order:

Cipher suites used in version 8.9.01, 8.9.02 
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA384:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:
DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:
DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:
ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:
ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:
DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:
DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:
ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:
AES128-GCM-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Cipher suites used in version 8.9.00 
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Back to top

To configure catalina.properties in restricted environments

If your environment requires more restricted security, as would be the case for federal customers, perform the following steps.

  1. Open the BCAN_HOME/tomcat/conf/catalina.properties file in a text editor.
  2. Find the bna.connector.ciphers property in the file.

  3. Delete the following set of cipher suites from the bna.connector.ciphers property value in the BCAN_HOME/tomcat/conf/catalina.properties file:

    Cipher suites to be deleted in version 8.9.01, 8.9.02 
    AES128-SHA256:AES256-SHA:AES128-SHA
    Cipher suites to be deleted in version 8.9.00 
    TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  4. Save the file and exit the text editor.
  5. Restart the web server service.

Back to top

Password handling

BMC Network Automation stores log on passwords in the database using the SHA-256 message digest algorithm, which is non-reversible, when local authentication is being used.

Note

Every existing BMC Network Automation user with local authentication is redirected to the Change Password page at first log on after upgrading to version 8.3.00 and later. For details, see Changing user passwords.

BMC Network Automation stores all other passwords (such as device security profile passwords, device agent passwords, or job or predefined job runtime parameters declared as passwords) in the database using the PBEWithHmacSHA1AndDESede FIPS-compliant algorithm, which is reversible. If a password is used during device interaction, such as FTP password, and the transcript shows it as HIDDEN, it is also stored that way in the database.

Back to top

Application server and device agent communication

For communication between the BMC Network Automation application server and the BMC Network Automation local and remote device agents, BMC Network Automation uses the TLSv1.2 handshaking protocol and the TLS_RSA_WITH_AES_128_CBC_SHA256 cipher suite.

SSH proxy

BMC Network Automation supports the use of FIPS-compliant encryption algorithms for the SSH proxy connection. BMC Network Automation no longer supports the hashing function, for example, the hmac-md5 encryption algorithms. 

Starting with version 8.9.02, the following encryption algorithms are supported for communication between an SSH client and BMC Network Automation SSH proxy server:

Cryptography aspectAlgorithm/Key length used
Key exchange algorithms

diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384

Host key algorithmsssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384
Encryption algorithms (ciphers)

aes128-ctr, 3des-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, aes192-ctr, aes256-ctr

Message authentication code algorithms

hmac-sha256, hmac-sha1, hmac-sha1-etm@openssh.com, hmac-sha2-256, hmac-sha256@ssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha512,
hmac-sha2-512, hmac-sha512@ssh.com, hmac-sha2-512-etm@openssh.com

SNMP v3 Server configuration

The MD5 authentication algorithm and DES privileged algorithm have been removed from the configuration options for Simple Network Messaging Protocol version 3 (SNMP v3) servers in BMC Network Automation. When upgrading to BMC Network Automation version 8.7.00, existing configurations that used the MD5 authentication algorithm and/or the DES privileged algorithm are updated to use the SHA authentication algorithm and/or the AES privileged algorithm, respectively. See Adding or editing an SNMP manager station.

Back to top

Support for SSH1 deprecated in BMC Network Automation 8.3.00

BMC Network Automation no longer supports SSH1 connections with devices, or any other SSH1 client. The supportsSsh1Access element was removed from the DeviceTypeMap.xml file. However, this same element was kept in the DeviceTypeMap.xsd file to provide backward compatibility, which will prevent the creation of XML parsing errors for old device adapters.

The deprecation of support for SSH1 can affect several supported device adapters: the Cisco VPN 3000 Concentrator Series, Juniper WX Application Accelerators, and Cisco CatOS Switch.

The Cisco VPN 3000 Concentrator Series only supports the SSH1 secure connection protocol. In addition, this device does not support SSH2. However, this device has reached End of Life (EOL), so BMC Network Automation changes the access mode of this device from SSH1 to Telnet.

The Juniper WX Application Accelerators support only SSH1 if they are running JunOS version 5.0. BMC recommends that customers with Juniper WX Application Accelerators in their environment upgrade JunOS to version to 5.5 and higher, where the SSH2 is supported. The upgrade of JunOS should be performed before upgrading to BMC Network Automation 8.6.00, since SSH2 is now the only supported mode to access BMC Network Automation for this device.

For the Cisco CatOS Switch, you must ensure that your model is running a version of CatOS that supports SSH2. There are several models of the Cisco CatOS Switch that do not support SSH2, such as the WS-C4003 running CatOS 7.4(1). You must upgrade to a later version of CatOS that supports SSH2.

Back to top

Agent and device communication over SSH

For communication between the agent and devices, BMC Network Automation establishes an SSH connection with the device. BMC Network Automation uses only FIPS-compliant algorithms for SSH connections with devices.

You must set <enableFIPSModeForSsh> to true for a device adapter when using SSH to connect to the device that is using FIPS algorithms. For information about the <enableFIPSModeForSsh> tag, see Device type header XML element reference

Note

  • Encryption algorithms cannot be configured in BMC Network Automation. However, these can be configured on the network device.
  • Due to use of updated cryptography libraries in this version of BMC Network Automation, the two-key Triple-DES algorithm is not supported beyond 2015. The three-key Triple-DES algorithm is supported beyond 2013. Due to deprecated two-key Triple-DES algorithm, you might be unable to make SSH connections to a few network devices. Consider upgrading your device firmware or configure your devices to use compatible ciphers.

The following table lists the various algorithms that are used for handshaking between the BMC Network Automation agent (client) and the device (server):

Cryptography aspectAlgorithm/Key length used for Client Key exchange initiation
Key exchange algorithms

(Version 8.9.02) diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1

Note: In version 8.9.02, diffie-hellman-group1-sha1 is available only when the FIPS mode is set to false because this algorithm is weak and vulnerable to the LOGJAM security vulnerability.


(Version 8.9.01) diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1


(Version 8.9.00) diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

Host key algorithms

(Version 8.9.02) ssh-dss,ssh-rsa,x509v3-sign-rsa,x509v3-sign-dss,x509v3-sign-rsa-sha1,x509v3-ssh-rsa,x509v3-ssh-dss,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-rsa2048-sha256,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256


(Version 8.9.01) ecdsa-sha2-nistp256,ssh-dss,ssh-rsa,x509v3-sign-rsa,x509v3-sign-dss,x509v3-sign-rsa-sha1,x509v3-ssh-rsa,x509v3-ssh-dss,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-rsa2048-sha256


(Version 8.9.00) ssh-dss,ssh-rsa,x509v3-sign-rsa,x509v3-sign-dss,x509v3-sign-rsa-sha1,x509v3-ssh-rsa,x509v3-ssh-dss,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2nistp384,x509v3-ecdsa-sha2nistp521,ecdsa-sha2-nis

Encryption algorithms (ciphers)

(Version 8.9.02) aes128-ctr,3des-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes192-ctr,aes256-ctr,3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc


(Version 8.9.01) aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc


(Version 8.9.00) aes128-ctr,aes128-cbc,3des-ctr,aes192-ctr,aes256-ctr,3des-cbc,aes192-cbc,aes256-cbc

Message authentication code algorithms

(Version 8.9.02) hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha256,hmac-sha256@ssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha512,hmac-sha2-512,hmac-sha512@ssh.com,hmac-sha2-512-etm@openssh.com

(Version 8.9.01) hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha1-96,hmac-sha256,hmac-sha256@ssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256-96,hmac-sha512,hmac-sha2-512,hmac-sha512@ssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-512-96


(Version 8.9.00) hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-sha256,hmac-sha256@ssh.com,hmac-sha2-256-96,hmac-sha512,hmac-sha2-512,hmac-sha512@ssh.com,hmac-sha2-512-96

Back to top

Handling CVE-2014-3566 (Poodlebleed)

To resolve the Poodlebleed issue, BMC Network Automation supports the newer SSL versions (TLS 1.0, 1.1, and 1.2) and blocks the SSL 3.0 protocol by default in all the HTTPS connections.

Browser – BMC Network Automation server communication

BMC Network Automation uses the Apache Tomcat web server. In the catalina.properties file, bna.connector.sslEnabledProtocols is set to TLSv1,TLSv1.1,TLSv1.2 by default.

BMC does not recommend that you change the default protocols. However, if you choose to modify these at your own risk, perform the following steps:

  1. Stop the BMC Network Automation services.

  2. In the catalina.properties file located in the <BCAN_HOME>\tomcat\conf directory, modify the existing value for bna.connector.sslEnabledProtocols based on your requirement.

  3. Start the BMC Network Automation services.

Back to top

BMC Network Automation agent and network device communication

BMC Network Automation allows HTTPS communication with certain devices. In the global.properties.imported file, httpsEncryptionProtocols is set to TLSv1,TLSv1.1,TLSv1.2 by default.

BMC does not recommend that you change the default protocols. However, if you choose to modify these at your own risk, perform the following steps:

  1. Stop the BMC Network Automation services.

  2. In the global.properties.imported file located in the <BCAN_DATA> directory, modify the existing value for httpsEncryptionProtocols based on your requirement.

  3. Start the BMC Network Automation services.

Back to top

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sulekha Gulati on Feb 18, 2019
cipher_suite configuring task cipher_suites fips_140 nist fips fips_140-2 changing_password snmp_v3 ssh1 security poodle_bleed

Comments

Log in or register to comment.

Configuring existing syslog servers to forward events
Establishing the OS image library
© Copyright 2013 - 2017 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.