Notification of possible action required by PATROL Agent users

PATROL Agents monitor critical systems, systems that contain sensitive information, and non-critical systems. PATROL Agents send the monitored data to TrueSight Operations Management. Based on the specific monitoring requirement, multiple security levels are applied to secure the communication between the PATROL Agent and TrueSight Operations Management.

To complete the migration of TrueSight Operations Management to use the PATROL security level 3, and TLS 1.2 cryptographic protocol, you must complete the following instructions on the TrueSight Operations Management Integration Services and all the relevant PATROL Agents. Setting up the system in the mentioned sequence minimizes the monitoring downtime.

The instructions in this page are applicable only to to those users whose IT infrastructure requires a TLS 1.2 configuration with the user-issued certificates. You can use these instructions only if you are using PATROL Agent versions 10.7 and later.

August 28, 2019

Issue number: CVE-2019-8352

Issue

Configuring a new Integration Service and PATROL Agent to enable TLS 1.2 and change security level to 3

To minimize the wide range of downtime on the PATROL Agents with TLS 1.2 enabled, BMC strictly recommends that you set up a new Integration Service with PATROL security level 3. In the future, any PATROL Agent that is migrated to use TLS 1.2 and PATROL security level 3 can instantly connect to the newly configured Integration Service (configured with TLS 1.2 and security level 3) reducing the downtime to the same amount of time it takes to restart a PATROL Agent.

To configure a new Integration Service to enable TLS 1.2 and change PATROL security level to 3

1. Create a custom signed certificate for the Integration Service. This is required by the PATROL security level 3. For details, see  Implementing private certificates in the Integration Service.
2. Prepare the new Integration Service to communicate with the Infrastructure Management by importing the custom signed certificate into the Integration Service keystore. For details, see  Implementing private certificates in the Integration Service.
3. Prepare the new Integration Service to communicate with PATROL Agents. For details, see  Implementing private certificates in the Integration Service.
4. Create a NSS DB certificate store in the Integration Service and import the custom signed certificate into this store. For details, see  To create a server NSS DB certificate store and import the CA-signed certificates
5. Import the Integration Service certificate into the Infrastructure Management server truststore. For details, see  Applying Integration Service certificate to the TrueSight Infrastructure Management.
6. Apply the Integration Service certificate to the TrueSight Operations Management components. For details, see  To create a server NSS DB certificate store and import the CA-signed certificates
7. Change the Integration Service security level to 3. For details, see  To change the Integration Service's security level.
8. Configure the Integration Service to enable TLS 1.2. For details, see  To configure the Integration Service to enable TLS 1.2.

To verify the Integration Service is configured successfully in TLS 1.2 mode

1. Log into the TrueSight console, go to the Configuration > Managed Devices page.
2. Verify the Integration Service status is showing as connected to the Infrastructure Management server.

To configure PATROL Agents to enable TLS 1.2 and change security level to 3

1. Create a Mozilla NSS DB client certificate store for the PATROL Agent, and import the Integration Service certificate into this client certificate store. For details, see  Applying Integration Service certificate to the PATROL Agent.

2. Change the PATROL Agent PCONFIG key to connect to newly configured Integration Service:
   PCONFIG key : "/AgentSetup/integration/integrationServices" = {REPLACE = "tcp:<ISN-HOST>:<ISN-PORT>"} 

3. Restart the PATROL Agent. 

   Notes

   • Verify that the PATROL Agent is not connected to the newly configured Integration Service.
   • The errors are printed in the PATROL_HOME/log/PatrolAgent-PAHOST-PAPORT.errs file.
4. Change the Patrol Agent security level to 3. For details, see  To change the PATROL Agent's security level.
5. Configure the PATROL Agent to enable TLS 1.2. For details, see  To configure the PATROL Agent to enable TLS 1.2.
6. Restart PATROL Agent.
7. Check the PATROL_HOME/log/PatrolAgent-PAHOST-PAPORT.errs file that there are no errors.

To verify the PATROL Agent is connected to the Integration Service

1. Log into the TrueSight console, go to the Configuration > Managed Devices page,
2. Verify that the PATROL Agent status is showing as connected under the newly configured Integration Service.
   
   

Post-configuration step

After migrating all the PATROL Agents to the new Integration Service, you can do one of the following:

1. • Retire the old Integration Service.
   • Perform steps mentioned in To configure the Integration Service to enable TLS 1.2 with security level 3  on the old Integration Service to enable TLS 1.2 and set the security level to 3.

To know more about PATROL Agent security considerations, see Security guidelines for the PATROL Agent.

If you have any questions about the issue, contact Customer Support.