Enabling enhanced security

Enhanced security is the new secure mode for reinforcing the security of communications between BCM agents. It permits the security of the restrictive SSL=3 mode (see SSL for communication between agents) for internal, agent to agent communication, but with simpler configuration. These internal communications include different components:

  • SSL handshake (if SSL is enabled)
  • Access Control handshake (known as the PAC parameter in BCM)
  • HTTP authentication

Other communications where user credentials are used are not affected (Java console, Web console, integrations and so forth). 

The enhanced security mode affects the two handshakes: SSL and PAC.

Before you begin

Enhanced security is only available when using the following BCM version:

  • BCM 12.7 patch 2

All agents must be upgraded to a version that supports enhanced security before you can enable it. See To enable enhanced security for more information.

Enhanced security SSL/HTTPS communication

Enhanced security separates internal and external communication, meaning that the more restrictive two way authentication can be used for internal agent to agent communications, while one way authentication can be used for external communication.

When it is active, it enforces mutual authentication for communication between agents, unless SSL is not used. As soon as SSL is active (SSL=1, 2 or 3), enhanced security ensures that agents only communicate once they have established a two-way SSL authentication handshake. The following table summarizes the behavior:

 Enhanced security

 SSL level

Internal communications

Other communications

No

SSL=0

No SSL handshake

No SSL handshake

No

SSL=1

One-way SSL handshake

One-way SSL handshake

No

SSL=2

One-way SSL handshake

One-way SSL handshake

No

SSL=3

Two-way SSL handshake

Two-way SSL handshake

Yes

SSL=0

No SSL handshake

No SSL handshake

Yes

SSL=1

Two-way SSL handshake

One-way SSL handshake

Yes

SSL=2

Two-way SSL handshake

One-way SSL handshake

Yes

SSL=3

Two-way SSL handshake

Two-way SSL handshake 

Currently the only mutually authenticated communication is when SSL=3 is configured. However, this parameter controls both internal and external communication making it is more complex to configure when using Java or Web consoles.

When enhanced security is enabled, and SSL is active, all internal communications are mutually authenticated. When SSL=3 is selected, all communications including to Java or Web consoles are mutually authenticated.

Enhanced security PAC handshake 

When enhanced security is enabled, the PAC option is removed and mutual authentication is used. This strong access control also makes use of stronger encryption algorithms.

To enable enhanced security 

When you upgrade to a version that supports enhanced security (BCM 12.7 patch 2), it is available, but disabled by default. You must not enable enhanced security until you have confirmed that all of the devices in your BCM environment support enhanced security, that is, they have been upgraded to a version supporting enhanced security. If all devices have been upgraded and support enhanced security, it can be undertaken without difficulty. If some of the devices do not support enhanced security, and it was enabled, then those devices would be lost to BCM. You activate enhanced security at the master.

Activating enhanced security is an irreversible operation

Activating enhanced security is an irreversible operation that can prevent communication with agents that have not been upgraded. If you have agents that are listed as not supporting enhanced security, you must be absolutely certain that you can lose them permanently before activating enhanced security.

The Reviewing BMC Client Management security on the home page provides statistics about the devices that are capable of using enhanced security and those that are not.

  • If some devices cannot support enhanced security, the information is given in the form, 1/2 BCM agents do not support enhanced security
  • If all devices support enhanced security, the information is given as, Activate Enhanced Security. This is a link which enables you to activate enhanced security.

The Reviewing BMC Client Management security on the home page provides statistics about the devices that are capable of operating in enhanced security and those that are not. The information is given in the form:
1/2 BCM agents do not support enhanced securityYou must check to see which devices do not support enhanced security. 

  1. Click the link to see a list of devices that do not support enhanced security. These devices would be lost if enhanced security is activated. 
    These devices might be old ones that are no longer managed, but you must check each one to ensure that they are no longer required. 



  2. You can activate enhanced security from this dialog, but if you do so, you will lose the listed devices permanently. Activating enhanced security is an irreversible operation. You are prompted to confirm the operation.



  3. Once enhanced security is activated, the Reviewing BMC Client Management security is updated accordingly.
     

Once activated on the Master, enhanced security is deployed automatically from parent to children through the RelayCheckClient action call. This action is called, by default, every hour. Hence, we can expect the first level devices to be configured within 1 hour, the second level devices to be configured within 2 hours and so forth. It is not possible to disable enhanced security once activated.

Was this page helpful? Yes No Submitting... Thank you

Comments