×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
TrueSight Orchestration Platform 20.02 Release notes and notices

Technical bulletin: Impact on SSH-based and HTTPS-based adapters due to an upgrade to the security policies in TrueSight Orchestration Platform 20.02

Introduction

Latest security requirements enforce discontinuation of support for weaker SHA1 based Open SSL certificates and for SSH authentication with weak algorithms and ciphers. Only SSL certificates and SSH authentication with stronger algorithms like SHA256 and above are supported. For more information, see  https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3172.pdf Open link

What has changed?

TrueSight Orchestration Platform version 20.02 is enhanced to enforce the latest security requirements. RSA CryptoJ libraries bundled with the platform are upgraded to enforce a stronger FIPS140-2 compliance. The new security policy allows support for only those certificates that are generated with at least SHA256 hashing algorithms. Server and clients side certificates (adapters as client), follow the new security requirements.

What is the impact on TrueSight Orchestration Content – Adapters?

Since platform 20.02 is now compliant with a stronger FIPS140-2 compliance, adapters based on HTTPS and SSH protocol are impacted.

Impact on HTTPS-based adapters

  • The certificates (required for SSL handshake) should be generated with SHA256 RSA signature algorithm with minimum key size as 2048 bits.

  • The certificates with SHA-1 RSA based signature algorithms are no longer supported and the adapter fails to execute request with the below exception:

    java.lang.SecurityException: An internal FIPS 140-2 required pairwise consistency check failed for URL

The following adapters now require SSL certificates generated with stronger algorithms like SHA256 and above:

  • AirWatch adapter
  • Amazon EC2 adapter
  • Amazon S3 adapter
  • BMC Atrium CMDB adapter
  • BMC Database Automation adapter
  • BMC Network Automation adapter
  • BMC Remedyforce adapter
  • BMC Server Automation adapter (when configured with CLI tunnel Web Service interface)
  • CA Service Desk actor adapter
  • CA Service Desk Monitor adapter (when configured with SSL)
  • CyberArk adapter
  • Dell AIM Actor adapter
  • HP Operations Manager adapter
  • HP Service Manager adapter
  • HP Service Center adapter
  • CA Service Desk adapter
  • Jira adapter
  • Microsoft Operations Manager 2005 adapter
  • ServiceNow adapter
  • VMware Infrastructure adapter
  • VMware Lifecycle Manager adapter
  • VMware vCloud adapter
  • HTTP adapter
  • REST adapter
  • Web Services adapter
  • POP adapter (when configured with SSL)
  • IMAP adapter (when configured with SSL)
  • SMTP adapter (when configured with SSL)

Mitigation for the HTTPS-based adapters

The SSL certificates for digital signature must be generated with at least with SHA256 RSA algorithm for a successful SSL handshaking for secure communication between client (that is, an adapter) and a target application running on HTTPS.

To generate self-signed SSL certificates using openSSL, see:

  • https://www.blackmoreops.com/2015/05/12/ssl-sign-with-sha256-hash-using-openssl/ Open link
  • https://ma.ttias.be/how-to-create-a-self-signed-ssl-certificate-with-openssl/ Open link

Impact on the SSH-based adapters

The SSH keys shall be generated with at least SHA256 RSA signature algorithm. The SSH server should be enabled to accept/negotiate with SHA256 RSA keys with strong ciphers. Underlying OpenSSH, provided by the operating system, should be of version 6.8 or later. Only these versions support required SHA256 by default. For details, see http://www.openssh.com/txt/release-6.8.

The SSH authentication keys with SHA-1 RSA based signature algorithms are no longer supported and the adapter fails to execute request with one of the following exceptions:

java.io.IOException


Algorithm not allowable in FIPS140 mode: SHA1/RSA

Mitigation for the SSH-based adapters

The SSH keys generated with SHA256 RSA signature algorithm are supported and the SSH server should be enabled to at least support SHA256 algorithms by default.

For example, OpenSSH 5.3 does not support SHA256. In such a case, the only option is to upgrade the OpenSSH to the latest version, which supports SHA256 algorithm. See http://www.openssh.com/txt/release-6.8.

To generate SSH keys using openSSH, see  https://www.simplified.guide/ssh/create-key Open link .

BMC recommends that you generate the key using OpenSSH 6.8 or later, and with an SHA256 RSA fingerprint with at least 2048 bits length. 

The following adapters now require stronger algorithms like SHA256 and above for SSH authentication with strong ciphers:

  • SSH Adapter
  • SFTP Adapter
  • SCP adapter

To support strong algorithm in adapters, the third-party SSH client library also needs to be upgraded and hot fix is available with upgraded SSH client libraries.

Contact BMC Customer Support to obtain a fix for the SSH and SSH-based adapters. 

Related topic

Release notes and notices

Was this page helpful? Yes No Submitting... Thank you
Last modified by Shweta Hardikar on May 29, 2020

Comments

Log in or register to comment.

Technical bulletin: Impact of Adobe Flash end of life on TrueSight Orchestration and replacement options
Dropped platforms
© Copyright 2013 - 2020 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.