Security considerations for TrueSight Capacity Optimization

The TrueSight Capacity Optimization architecture handles and provides security at various levels. For a detailed discussion of each level, refer to the following sections:

TrueSight Capacity Optimization can securely transfer data between the internal product components and from TrueSight Capacity Optimization components to external components. 

Traffic (bidirectional)

Encrypted when

Browser to Application Server

The HTTPS mode is configured.

Application Server to Database

The Transport Layer Security (TLS) is configured.

Presentation Server to Application Server for token validationThe TLS is configured.
Remedy Single Sign-On Server to Presentation Server for token validationThe TLS is configured.
Application Server to Gateway ServerThe TLS is configured.

ETL to data source

The data source supports secure transfers.

ETL to Data Hub (control)

The HTTPS mode is configured.

ETL to Data Hub (data)

The HTTPS mode is configured.

ETL to Gateway ServerThe HTTPS mode is configured.

SMTP send for email

The SMTP is configured using TLS.

The ETL Engine Server and the Data Hub on the Application Server, which communicate with each other over REST APIs, by default use basic authentication to identify themselves. This traffic can optionally be encrypted by configuring them to use HTTPS as mentioned in the preceding table.

For information about the secure protocols that TrueSight Capacity Optimization uses for data transfer, see Communication ports and protocols.

User authentication and authorization

TrueSight Presentation Server and Remedy Single Sign-On (SSO) are the key components in the user authentication and authorization flow for accessing TrueSight Capacity Optimization. For information on how these components communicate with each other and the required ports, see Communication ports and protocols.

ConceptsResource

TrueSight Presentation Server hosts the web-based TrueSight console and performs functions such as role-based access control and data management functions such as storage and persistence. 

TrueSight Presentation Server overview

TrueSight Presentation Server and TrueSight Capacity Optimization supports integration with Remedy Single Sign-On (SSO), which enables users to present credentials once for seamless access to all BMC products integrated into the system.

Remedy Single Sign-On at-a-glance

Integrating with TrueSight Operations Management 

Configuring user authentication 

Users assigned an administrator role can configure user authentication (provided through Remedy SSO) and role-based access control from the TrueSight Capacity Optimization console.

Adding and managing roles

User authorization is defined by access control policies that allow granular control over functions and data access for TrueSight Capacity Optimization users.

Managing access control

Important

You can access the TrueSight Capacity Optimization console only if the following conditions are met:

  • You have configured the same Remedy SSO server that is configured with the TrueSight Presentation Server
  • Both Remedy SSO server and the Presentation Server are up and running as Remedy SSO provides user authentication and Presentation Server provides the authorization details.

User credentials

The following types of credentials are stored in an encrypted form:

  • TrueSight Capacity Optimization user credentials
  • All credentials used by connectors (for example, to access data sources such as databases), which are saved in the TrueSight Capacity Optimization database configuration tables
  • SMTP email credentials

For credentials used by connectors, these are extracted by the ETL Engine server from the database in encrypted form. If the ETL Engine is configured as a "remote" ETL Engine, then these credentials are extracted by the Data Hub and transferred to the ETL Engine in encrypted form. Thus, in either case, these keys are never transferred in plaintext.

The encryption and decryption keys are pre-configured in all TrueSight Capacity Optimization ETL Engine servers. These keys are not visible to the administrator.

User credentials for ETL modules

The ETL Engine uses a new version of the Java runtime, JRE 1.8, and can connect securely to external data sources, such as VMware vCenter ETLs. This version of JRE requires high security connections and disables RSA keys less than 1024 bits. However, if you have data sources (for example, vCenter) that still have a RSA key and do not respect this security constraint, old RSA keys may have been created with a key of less than 1024 bits.

In this case, the TrueSight Capacity Optimization connector running in the ETL Engine will not be able to create a secure connection and will fail. The correct way to fix this error is to change the RSA key of the data source and restart the scheduler for the ETL task. You will need to refer to the documentation of the data source in your setup for details.

As a workaround (not recommended) the TrueSight Capacity Optimization administrator can follow the steps given below to lower the security policy of the ETL Engine’s JRE.

  1. Navigate to the file jre/lib/security/java.security.
  2. Replace jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 with jdk.certpath.disabledAlgorithms=MD2.
  3. Save the file.

Example for vCenter Extractor Service - An error code (BCO_ETL_FAIL113) is displayed when the ETL is unable to connect to the vCenter because the server certificate does not conform to the expected JVM security constraints. Change the vCenter RSA key to use a self-signed certificate and restart the scheduler for the ETL task. For more information, see  VMware documentation .

If the TrueSight Capacity administrator cannot change the SSL certificate of the vCenter, use the specified workaround.

Audit log

Administrators can use the audit logs to review the key activities, such as user logins and modifications to access groups and roles. For more information about the auditing feature, see Auditing.

Web access security

TrueSight Capacity Optimization is designed to be used in an enterprise network, not on the public Internet. The following methods are used to mitigate web access vulnerabilities: 

  • Cookies: Only session cookies are used. No persistent cookies are left on the browser computer.
  • Cross-Site Request Forgery (CSRF) prevention: Anti-CSRF tokens are attached to each user session to safeguard against CSRF attacks.

Where to go from here

Communication ports and protocols

Was this page helpful? Yes No Submitting... Thank you

Comments